MoonWalk

Description

(ZScaler) APT41, a China-based nation-state threat actor known for campaigns in Southeast Asia, has been observed using a new backdoor called MoonWalk. MoonWalk shares a common development toolkit with DUSTTRAP, reusing code that implements evasive techniques such as DLL hollowing, import resolution, DLL unhooking, and call stack spoofing. Additionally, MoonWalk employs further evasion tactics, including the use of Google Drive as its C2 channel to blend in with legitimate network traffic and the utilization of Windows Fibers to evade AV/EDR security solutions. MoonWalk’s modular design allows attackers to easily update its capabilities, modify its behavior, and customize functionality for different scenarios.

Names

Name
MoonWalk
CurveLast
SneakCross

Category

Malware

Type

• Backdoor

Information

• https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwalk

Other Information

Uuid

fcd28a3d-27ab-4858-9982-f14c6bc77c8e

Last Card Change

2024-12-27