SideWalk Modular Backdoor Discovered in Newly Launched APT Campaigns
The APT Group SparklingGoblin Seems to Be Behind the New Backdoor.
A new modular backdoor called SideWalk was recently discovered as part of new malicious campaigns launched by an APT group dubbed as SparklingGoblin.
An advanced persistent threat can be deployed by cyber-criminals that have a high level of expertise and important resources to infiltrate a network.
These malicious actors usually use this type of attack in order to target large organizations in an attempt to retrieve economic or financial information, and in some cases, they might try to use this form of attack in order to stop or block a company’s program or agenda.
The SparklingGoblin APT was first seen back in May 2020 when cybersecurity researchers were tracking some attacks on Hong Kong universities by another group that used CrossWalk backdoor in 2019.
In a recently published report, the researchers from ESET are disclosing the fact that the new SideWalk backdoor is sharing several similarities with the CrossWalk backdoor.
Subsequent to that campaign, in May 2020 (as documented in our Q2 2020 Threat Report) we observed a new campaign targeting one of the universities that was previously compromised by Winnti Group in October 2019, where the attackers used the CROSSWALK backdoor and a PlugX variant using Google Docs as a dead drop resolver. Even though that campaign exhibited links to Winnti Group, the modus operandi was quite different, and we started tracking it as a separate threat actor.
SideWalk and CrossWalk are having various architectural similarities like anti-tampering techniques, threading model, data layout, as well as the way in which data is managed during the execution.
When looking at their features the backdoors can be considered modular in nature as by engaging the use of additional plugins they can become able to enhance their capabilities.
Both backdoors are using the Motnug loader, a type of shellcode loader, and they can both obtain proxy configurations by stealing user tokens and using them to communicate with their C&C servers.
By carefully looking at all this data the ESET researchers concluded that the SparklingGoblin APT is another subgroup of the Winnti group using the SideWalk backdoor.
Some History on SparklingGoblin
According to Cyware, SparklingGoblin seems to be targeting a wide range of organizations around the world, and whilst it targets several industry sectors it seems to be primarily focused on the academic sector.
Some of its targets were the academic sectors in Macau, Hong Kong, and Taiwan, as well as a religious organization, an electronics manufacturer from Taiwan, and some government entities based in Southeast Asia.
It looks like SparklingGoblin is becoming a very active threat group targeting a wide range of organizations globally and it’s very concerning that by having the links already established between SideWalk and CrossWalk, the APT Winnti group could be able to easily use these backdoors in the near future.