Crosswalk

Crosswalk, a threat actor in the cybersecurity industry, has been identified as utilizing FakeTLS in its traffic, presenting significant security concerns. This modular backdoor is implemented in shellcode, with the main payload being the Crosswalk backdoor itself. The malicious files associated with this threat are self-contained PL shellcode loaders, but the payload is specifically Crosswalk version 2.0. An investigation into network infrastructure and monitoring of new Crosswalk samples led to the discovery of other malicious objects containing Crosswalk shellcode as their payload. AI has facilitated crosswalk analysis between different cybersecurity frameworks from two different countries in mere minutes, demonstrating its potential to significantly enhance work efficiency. This was done through the HIPAA/NIST CSF Crosswalk Guide and the AI RMF Crosswalk. During the investigation, two Crosswalk C2 servers were found, 103.248.21[.]134 and 103.248.21[.]179, which contained an SSL certificate with SHA-1 value of b1d749a8883ac9860c45986e2ffe370feb3d9ab6. There is evidence to suggest a connection between the Crosswalk and ShadowPad network infrastructures. Other tools discovered during the investigation include Crosswalk and Metasploit injectors, the juicy-potato utility, and samples of FunnySwitch and ShadowPad. Notably, Crosswalk and FunnySwitch shellcode are located "as-is" in the data sections, while the samples with Metasploit show additional XOR encryption with the key "jj1". This highlights the complexity and sophistication of the Crosswalk threat actor's methods.