A new threat actor has been targeting organizations in academic, retail and government sectors all over the world with a never-before-seen backdoor, according to the cybersecurity firm ESET.
Dubbed SparklingGoblin, the new APT is believed to have ties with another APT - Winnti Group. The researchers said they discovered SparklingGoblin in May 2020 while analyzing a Winnti Group campaign targeting several Hong Kong universities that had started at the end of October 2019. During the campaign the attackers made use of the several backdoors, including ShadowPad, the Winnti malware, the Spyder backdoor, and Doraemon, a backdoor based on DarkShell.
“Subsequent to that campaign, in May 2020 we observed a new campaign targeting one of the universities that was previously compromised by Winnti Group in October 2019, where the attackers used the CROSSWALK backdoor and a PlugX variant using Google Docs as a dead drop resolver. Even though that campaign exhibited links to Winnti Group, the modus operandi was quite different, and we started tracking it as a separate threat actor,” ESET said.
In the recent campaign the SparklingGoblin group has been observed using a backdoor, which researchers dubbed ‘SideWalk.’
SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server.
Since the mid 2020 the APT has hit a broad range of organizations and verticals around the world, mainly focusing on the academic institutions across such countries as Bahrain, Canada, Georgia, India, Macao, Singapore, South Korea, Taiwan, and the U.S. Other targeted entities include media companies, religious organizations, e-commerce platforms, computer and electronics manufacturers, and local governments in East and Southeast Asia.
The SideWalk backdoor is ChaCha20-encrypted shellcode that is loaded from disk by SparklingGoblin’s InstallUtil-based .NET loaders, the researchers noted. This loader is responsible for reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique.
After establishing connection to its command and control server, SideWalk downloads arbitrary sent from the server, harvests information about running processes and then sends it back to the server.
“SideWalk is a previously undocumented backdoor used by the SparklingGoblin APT group. It was most likely produced by the same developers as those behind CROSSWALK, with which it shares many design structures and implementation details,” the researchers noted.
“SparklingGoblin is a group with some level of connection to Winnti Group. It was very active in 2020 and the first half of 2021, compromising multiple organizations over a wide range of verticals around the world and with a particular focus on the academic sector and East Asia.”