A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant.
Slovak cybersecurity firm ESET, which detected the malware in the university’s network, attributed the backdoor to a nation-state actor dubbed SparklingGoblin. The unnamed university is said to have been already targeted by the group in May 2020 during the student protests.
“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations,” ESET said in a report shared with The Hacker News.
SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the Winnti umbrella (aka APT41, Barium, Earth Baku, or Wicked Panda). It’s primarily known for its attacks targeting various entities in East and Southeast Asia at least since 2019, with a specific focus on the academic sector.
In August 2021, ESET unearthed a new piece of custom Windows malware codenamed SideWalk (aka ScrambleCross) that was exclusively leveraged by the actor to strike an unnamed computer retail company based in the U.S.
Subsequent findings from Symantec, part of Broadcom software, have linked the use of SideWalk to an espionage attack group it tracks under the moniker Grayfly, while pointing out the malware’s similarities to that of Crosswalk.
“SparklingGoblin’s Tactics, Techniques and Procedures (TTPs) partially overlap with APT41 TTPs,” Mathieu Tartare, malware researcher at ESET, told The Hacker News. “Grayfly’s definition given by Symantec seems to (at least partially) overlap with SparklingGoblin.”
The latest research from ESET dives into SideWalk’s Linux counterpart (originally called StageClient in July 2021), with the analysis also uncovering that Specter RAT, a Linux botnet that came to light in September 2020, is in fact an early Linux variant of SideWalk as well.
Aside from multiple code similarities between the SideWalk Linux and various SparklingGoblin tools, one of the Linux samples has been found using a command-and-control address (66.42.103[.]222) that was previously used by SparklingGoblin.
Other commonalities include the use of the same bespoke ChaCha20 implementation, multiple threads to execute one particular task, ChaCha20 algorithm for decrypting its configuration, and an identical dead drop resolver payload.
Despite these overlaps, there are some significant changes, the most notable being the switch from C to C++, addition of new built-in modules to execute scheduled tasks and gather system information, and changes to four commands that are not handled in the Linux version.
“Since we have seen the Linux variant only once in our telemetry (deployed at a Hong Kong university in February 2021) one can consider the Linux variant to be less prevalent — but we also have less visibility on Linux systems which could explain this,” Tartare said.
“On the other hand, the Specter Linux variant is used against IP cameras and NVR and DVR devices (on which we have no visibility) and is mass spread by exploiting a vulnerability on such devices.”