SparklingGoblin APT Hackers are using a new Linux variant of SideWalk Backdoor to target a Hong Kong university in February 2021, highlighting the cross-platform abilities of the implant.
Slovak cybersecurity firm ESET, which detected the malware in the university’s network, are attributing the backdoor to a nation-state actor dubbed SparklingGoblin. The unnamed university is said to have been already targeted by the group in May 2020 during the student protests.
ESET shared a report with The Hacker News that said The group, which ESET has not identified, steadily compromised multiple servers from this organization. This included a print server, an email server, and a server that managed student schedules and course registrations. The group successfully compromised these servers for a long period of time.
A team of Chinese hackers form the group, known as SparklingGoblin. The group targets entities in East and Southeast Asia, focusing primarily on universities. They have been active since 2019 at least.
ESET found a new type of malware called SideWalk. The malware was only used by the actor in this one case against an unnamed company with its headquarters in the U.S.
Grayfly, a group that is shown links of espionage, has been found to use SideWalk which is a malware program.
“The tactics, techniques and procedures of Sparkling Goblin’s partially overlap with APT41 TTPs,” – Mathieu Tartare, malware researcher at ESET. “Grayfly’s definition given by Symantec seems to (at least partially) overlap with Sparkling Goblin.”
SideWalk is a Linux botnet that was found to be infecting Linux computers in 2020. Futher analysis also showed that Specter RAT, a Linux botnet that came to light in September 2020, is also a Linux variant of SideWalk as well.Unlike the SideWalk Linux and SparklingGoblin tools, one file uses an IP address that was previously used by the SparklingGoblin.
MitM is accomplished by a variety of viruses, including the use of the same bespoke ChaCha20 implementation, multiple threads to execute one particular task, ChaCha20 algorithm for decrypting its configuration, and an identical dead drop resolver payload.
The switch to C++, addition of new modules to execute scheduled tasks and gather system information, and changes to four commands are the most notable changes in this update.
Security researcher, Yves Tartare, predicts that the Linux variant malware may be less prevalent, due to less visibility than the Windows and Mac OS variants.