Grewapacha

Malware updated 13 days ago (2024-10-17T12:05:10.807Z)
Download STIX
Preview STIX
GrewApacha is a Remote Access Trojan (RAT) that has been used by Advanced Persistent Threat group 31 (APT31), also known as EastWind, since 2021. It is a type of malware designed to infiltrate systems undetected, enabling the attacker to control the infected device remotely. The GrewApacha Trojan can be identified by searching for an unsigned file named 'msedgeupdate.dll' in the system's file structure. Notably, the loader for this RAT has remained unchanged since its initial discovery, with only minor differences introduced to the RAT itself over time. This malware is part of a broader attack strategy involving multiple malicious tools. In addition to GrewApacha, attackers have also been found to download the CloudSorcerer backdoor onto compromised systems. This multi-pronged approach increases the potential for damage and exploitation. The malware set bears resemblance to the "sideloading triad" typically associated with attacks involving PlugX, another well-known piece of malware. Kaspersky has labeled the APT31 malware used in EastWind's campaign as "GrewApacha." This indicates a connection between different China-nexus actors, suggesting coordinated or related cyber activity. Despite the similarities with other attacks, analysis of the files associated with GrewApacha confirms that it is a unique RAT attributed to the APT31 group. This underscores the ongoing threat posed by APT31 and the need for continued vigilance and robust cybersecurity measures.
Description last updated: 2024-10-17T11:55:44.698Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT31 Threat Actor is associated with Grewapacha. APT31, also known as Zirconium, is a threat actor believed to be working on behalf of China's Ministry of State Security in Wuhan. The group's primary mission, according to security vendors like Mandiant, involves gathering information from rival nations that could be of economic, military, and poliUnspecified
2
Source Document References
Information about the Grewapacha Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more