Grewapacha

Malware updated 2 months ago (2024-11-29T14:52:33.045Z)

Download STIX

Preview STIX

GrewApacha is a Remote Access Trojan (RAT) that has been used by Advanced Persistent Threat group 31 (APT31), also known as EastWind, since 2021. It is a type of malware designed to infiltrate systems undetected, enabling the attacker to control the infected device remotely. The GrewApacha Trojan can be identified by searching for an unsigned file named 'msedgeupdate.dll' in the system's file structure. Notably, the loader for this RAT has remained unchanged since its initial discovery, with only minor differences introduced to the RAT itself over time. This malware is part of a broader attack strategy involving multiple malicious tools. In addition to GrewApacha, attackers have also been found to download the CloudSorcerer backdoor onto compromised systems. This multi-pronged approach increases the potential for damage and exploitation. The malware set bears resemblance to the "sideloading triad" typically associated with attacks involving PlugX, another well-known piece of malware. Kaspersky has labeled the APT31 malware used in EastWind's campaign as "GrewApacha." This indicates a connection between different China-nexus actors, suggesting coordinated or related cyber activity. Despite the similarities with other attacks, analysis of the files associated with GrewApacha confirms that it is a unique RAT attributed to the APT31 group. This underscores the ongoing threat posed by APT31 and the need for continued vigilance and robust cybersecurity measures.

Description last updated: 2024-10-17T11:55:44.698Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT31 is a possible alias for Grewapacha. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Grewapacha Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	2 months ago	Malware report for Q3 2024: threat overview
DARKReading	6 months ago	'EastWind' Cyber Spy Campaign Combines Various Chinese APT Tools
Securelist	6 months ago	EastWind campaign distributes CloudSorcerer and two APT tools