MoonWalk

July 12, 2024, 4:20 p.m.

Description

This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also leverages Google Drive as a command-and-control channel, blending in with legitimate network traffic. MoonWalk's modular design allows for easy capability updates and customization for different scenarios.

External References

https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2
https://otx.alienvault.com/pulse/669155cb92e6f0d3604f1ddb
Tags
backdoor
evasion
windows
moonwalk
nationstate
dodgebox
2024-07-12
googledrive

Date

  • Created: July 12, 2024, 4:11 p.m.
  • Published: July 12, 2024, 4:11 p.m.
  • Modified: July 12, 2024, 4:20 p.m.

Indicators

  • c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db
  • a8e6bd132daf0360b1af1f5eea15e42f8c6f1dcd7d34376ae4e83a1a4f5907c0
  • 33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49
Download all indicators here!

Attack Patterns

  • MoonWalk
  • DodgeBox
  • APT41
  • T1102.002
  • T1562.001
  • T1590
  • T1573
  • T1106
  • T1592
  • T1027