A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, highlighting the implant’s cross-platform capabilities.
Slovak cybersecurity firm ESET, which detected the malware in the university’s network, attributed the backdoor to a nation-state actor dubbed Sparkling Goblin. The unnamed university is said to have already been targeted by the group in May 2020 during the student protests.
“The group continuously targeted this organization over an extended period of time, successfully compromising several key servers, including a print server, an email server, and a server used to manage student schedules and class registrations,” ESET said in a report shared with The Hacker News.
SparklingGoblin is the name given to a Chinese Advanced Persistent Threat (APT) group with connections to the Winnti Umbrella (aka APT41, Barium, Earth Baku or Wicked Panda). He is primarily known for his attacks targeting various entities in East and Southeast Asia at least since 2019, with a particular focus on the academic sector.
Later findings from Symantec, part of Broadcom software, linked the use of SideWalk to a group of snooping attacks it tracks under the moniker gray flywhile pointing out the similarities of the malware with that of Crosswalk.
“SparklingGoblin’s Tactics, Techniques and Procedures (TTPs) partially overlap with APT41 TTPs,” Mathieu Tartare, malware researcher at ESET, told The Hacker News. “Symantec’s definition of Grayfly seems to (at least partially) overlap with SparklingGoblin.”
ESET’s latest research dives into SideWalk’s Linux counterpart (originally called InternshipClient in July 2021), with the analysis also revealing that RAT Spectruma Linux botnet that appeared in September 2020, is actually also a Linux variant of SideWalk.
Besides the multiple code similarities between SideWalk Linux and various SparklingGoblin tools, one of the Linux examples was found using a command and control address (66.42.103[.]222) who was previously used by SparklingGoblin.
Other commonalities include using the same bespoke ChaCha20 implementation, multiple threads to perform a particular task, the ChaCha20 algorithm to decipher its configuration, and a dead fall resolver payload.
Despite these overlaps, there are a few significant changes, the most notable being the move from C to C++, the addition of new built-in modules for running scheduled tasks and collecting system information, and changes to four commands that are not supported in the Linux version. .
“Since we only saw the Linux variant once in our telemetry (deployed at a Hong Kong university in February 2021), the Linux variant can be considered less widespread — but we also have less visibility. on Linux systems, which might explain this,” says Tartare.
“On the other hand, the Specter Linux variant is used against IP cameras and NVR and DVR devices (on which we have no visibility) and is spreading massively by exploiting a vulnerability on these devices.”