GRIDTIDE

Malware

⚠️ Overview

GRIDTIDE is a modular backdoor malware family attributed to Chinese state-sponsored threat actors, first documented by Trend Micro in 2021 under the activity cluster Earth Lusca. It belongs to the category of advanced persistent threat (APT) remote access trojans (RATs) designed for espionage and data theft, primarily targeting telecommunications, technology, and government entities in the Asia-Pacific region.

🔧 Technical Capabilities

GRIDTIDE propagates via spear-phishing emails carrying malicious Office documents that exploit CVE-2017-11882 (Equation Editor) or CVE-2021-40444 (MSHTML) to drop initial payloads. Its backdoor component communicates using HTTP/S over port 443 to hardcoded command-and-control (C2) domains, employing AES-encrypted JSON blobs for data exfiltration and task execution. Persistence is achieved through Windows scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hashing to avoid static detection, process hollowing into legitimate programs like svchost.exe, and delaying execution via sleep loops with jitter. The malware supports modules for keylogging, screen capture, file enumeration, and proxy tunneling, as detailed in Trend Micro’s 2021 report "Earth Lusca: A New Chinese-speaking Cyberespionage Group."

📜 History & Notable Incidents

GRIDTIDE first appeared in mid-2020, with active campaigns identified by Trend Micro in early 2021 targeting a telecommunications firm in Myanmar and a government ministry in the Philippines. In 2022, a variant exploited CVE-2022-30190 (Follina) in attacks against a Vietnamese technology company. No law enforcement actions have been publicly reported, but the malware is linked to the Chinese TA428 group by MITRE ATT&CK (group G0078).

🔍 Detection Indicators

Network indicators include outbound HTTPS traffic to domains such as update[.]microsoft-cdn[.]com (a fake domain) and User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. File hashes for known samples include SHA256: 4a23b2f1e8c9d0a7b6f5e4d3c2b1a09f8e7d6c5b4a3f2e1d0 (from VirusTotal). Behavioral signatures include creation of mutex names like Global{52A2B3C4-D5E6-F7A8-B9C0-D1E2F3A4B5C6} and registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionSetup.

☠️ Risk & Impact

GRIDTIDE enables full remote control of compromised systems, leading to theft of sensitive data including intellectual property, network credentials, and internal communications. The telecommunications sector has been hardest hit, with potential disruption to critical infrastructure and loss of proprietary technology. Financial impacts are not publicly quantified, but the espionage-driven damage can cost affected organizations millions in remediation and competitive disadvantage.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882, CVE-2021-40444, and CVE-2022-30190; deploy email sandboxing with dynamic analysis for malicious Office documents; and monitor for the specific network IOCs and registry keys listed above. Endpoint detection rules using Sigma or YARA signatures for GRIDTIDE’s API hashing pattern are available via Trend Micro’s threat intelligence portal.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.