A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, highlighting the implant’s cross-platform capabilities.
Slovak cybersecurity firm ESET, which discovered malware on the university’s network, attributed the backdoor to a nation-state actor named Gas Goblin. The unnamed university is said to have already been targeted by the group in May 2020 during student protests.
“The group repeatedly targeted this organization over an extended period of time, successfully compromising multiple key servers, including a print server, an email server and a server used to manage student timetables and course registrations,” ESET said in a report shared with The Hacker News.
SparklingGoblin is the name given to an advanced Chinese persistent threat group (APT) affiliated with the Winnti umbrella (aka APT41, Barium, Earth Baku or Wicked Panda). It is primarily known for its attacks targeting various entities in East and Southeast Asia since at least 2019, with a particular focus on the academic sector.
In August 2021, ESET discovered a new piece of custom Windows malware codenamed SideWalk (aka ScrambleCross) that was used exclusively by the actor to attack an unnamed US-based computer retail company
Subsequent findings by Symantec, part of Broadcom Software, have linked the use of SideWalk to an espionage attack group it tracks under the name Grayfly, noting the malware’s similarities to that of Crosswalk.
“SparklingGoblin Tactics, Techniques and Procedures (TTPs) partially overlap with APT41 TTPs,” Mathieu Tartare, malware researcher at ESET, told Hacker News. “Symantec’s definition of Grayfly appears to (at least partially) overlap with SparklingGoblin.”
The latest research from ESET dives into SideWalk’s Linux counterpart (originally named StageClient in July 2021), with analysis also revealing that the Specter RAT, a Linux botnet that came to light in September 2020, is actually an early Linux variant of SideWalk as well.
In addition to the many code similarities between SideWalk Linux and various SparklingGoblin tools, one of the Linux samples was found using a command and control address (66.42.103[.]222) that was previously used by SparklingGoblin.
Other commonalities include the use of the same custom ChaCha20 implementation, multiple threads to execute a particular task, the ChaCha20 algorithm for decrypting its configuration, and an identical dead-drop solver payload.
Despite these overlaps, there are some important changes, the most notable being the move from C to C++, the addition of new built-in modules to run scheduled tasks and gather system information, and changes to four unhandled commands in the Linux version. .
“Since we’ve only seen the Linux variant once in our telemetry (located at a Hong Kong university in February 2021), it can be considered the Linux variant as less prevalent — but we also have less visibility into Linux systems that can explain this,” said Tartare.
“On the other hand, the Specter Linux variant is used against IP cameras and NVR and DVR devices (into which we have no visibility) and is widely spread by exploiting a vulnerability in such devices.”
