SparklingGoblin hackers create Linux variant of the SideWalk Windows backdoor

State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector.

The malware is attributed with high confidence to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group.

Targeting academic sector

The SideWalk Linux backdoor has been observed in the past, initially being tracked as StageClient by security researchers at cybersecurity company ESET.

An early variant of the malware was spotted by researchers at 360 Netlab, the threat intelligence team at Chinese internet security company Qihoo 360, and detailed two years ago in a blog post about the Specter botnet hitting IP cameras.

After analyzing Specter and StageClient, ESET researchers determined that both malware pieces have the same root and are Linux variants of SideWalk.

In 2021, researchers at Trend Micro documented new tools from a cyberespionage campaign attributed to APT41/Earth Baku, including the SideWalk backdoor, which they track as ScrambleCross.

ESET notes in a report today that while SideWalk Linux has been used against multiple targets in the past, their telemetry data shows that the variant they discovered was deployed against only one victim in February 2021, a university in Hong Kong.

SparkGoblin focused on the same target in the past, compromising the same university in May 2020, during the students’ protests.

“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations” – ESET

Although SparklingGoblin is mostly attacking targets in East and Southeast Asia, the group has also been hitting organizations outside these regions, its focus being on the academic sector.

SideWalk for Windows ready for Linux

Looking at the SideWalk variants for Linux and Windows, ESET noticed “striking” similarities in the way they function, the implementation of multiple components, and the payloads dropped on the compromised system.

The researchers say that both variants implemented the ChaCha20 encryption algorithm to “use a counter with an initial value of 0x0B,” something that is particular to SideWalk.

On both Windows and Linux, the malware uses the same five threads, executed simultaneously, for specific tasks:

  • [StageClient::ThreadNetworkReverse] – fetching proxy configurations for alternate connections to the command and control (C2) server
  • [StageClient::ThreadHeartDetect] – close connection to C2 server when commands are not received in the specified time
  • [StageClient::ThreadPollingDriven] – send heartbeat commands to C2 server if there is no info to deliver
  • [StageClient::ThreadBizMsgSend] – check for data to be sent in message queues for all other threads and process it
  • [StageClient::ThreadBizMsgHandler] – check for pending messages from the C2 server

ESET researchers also found that both Linux and Windows variants for SideWalk had the same payload delivered through the dead-drop resolver string hosted in a Google Docs file.

Payload format string for SideWalk to retrieve payload
String hosted in Google Docs for SideWalk to fetch payload
source: ESET

Another piece of evidence connecting the two SideWalk variants to the same threat actor was that they both used the same encryption key to transport data from the infected machine to the C2 server.

SparklingGoblin has the capabilities to develop malware adapted to its needs,  as evidenced by the SideWalk Linux variant. However, the group also has access to implants observed in operations attributed to other Chinese hacking groups.

ESET researchers say that SparklingGoblin has access to the ShadowPad backdoor and Winnti malware.

Source: www.bleepingcomputer.com