Related Families: Specter RAT, SideWalk (Windows)
Verticals Targeted: Education
Executive Summary
ESET recently reported on a SideWalk Linux variant. SideWalk is a backdoor used by the SparklingGoblin threat actor group.
Key Takeaways
- ESET discovered a Linux variant of the SideWalk backdoor.
- SideWalk is used by the SparklingGoblin threat actor group.
- The Linux and Windows variants of SideWalk share multiple similarities.
What is SideWalk?
ESET researchers discovered a Linux variant of the SideWalk backdoor. SideWalk is a custom malware used by the SparklingGoblin threat actor group. The variant analyzed was used in an attack on a Hong Kong university. SparklingGoblin reportedly targeted the university as early as May 2020. Continued targeting led to a SideWalk variant on the network in February 2021. ESET notes it originally referred to the sample as StageClient. They also noted the Specter RAT Linux backdoor is a variant of SideWalk Linux.
SideWalk uses Google Docs as a dead-drop resolve and uses Cloudflare for C2. ESET was not able to determine the initial infection vector but speculates it may be via exploitation of connected devices or a WordPress server.
The SideWalk Linux variant shares multiple similarities with the Windows SideWalk variant, including the following:
- Both variants use ChaCha20 encryption, with an initial counter value of 0x0B. The configuration is decrypted using ChaCha20.
- Both variants use multiple threads to execute a specific task. ESET notes that in both variants, five threads are simultaneously executed, and each has a specific task.
- In both variants, prior to description, a data integrity check is performed. An MD5 hash is computed on the ChaCha20 nonce concatenated to the encrypted configuration data. If the hash does not match a predefined value, the malware exits.
- Both variants share an identical dead-drop resolver payload.
- Both variants use the same artifacts for victim fingerprinting, and the information is fetched in the same order.
- Both variants use an identical encryption key and the same POST requests for communication with the C2.
- Both variants share the same commands, with the exception of four commands that differ in the Linux variant.
A major difference in the implementation of the Linux variant is the modules are built-in and cannot be fetched from the C2, as is possible in the Windows variant. The Linux version also does not implement as many defense evasion techniques as the Windows version.
Who is SparklingGoblin?
SparklingGoblin is thought to be a Chinese nexus threat actor group. The group’s TTPs partially overlap with APT41 (Wicked Panda). The group typically targets academic entities located in East and Southeast Asia, although they have expanded their scope to other verticals and regions. SparklingGoblin TTPs include but are not limited to Motnug and ChaCha20 based loaders, Crosswalk, SideWalk, PlugX, ShadowPad, and Cobalt Strike. ESET notes SparklingGoblin is currently the only threat actor known to use SideWalk.
IOCs
PolySwarm has multiple samples of the SideWalk Linux variant.
a5bad9b8fe8d51400e44646a946f96e33421a0b7ff2bae60b3e0b5621e4fcaf1
0bff46518b35ddfe37f4a7820286aab829d81f1480d9eeca5aaedc9ceda6724f
34f95e0307959a376df28bc648190f72bccc5b25e0e00e45777730d26abb5316
6c2fd9badb7a323c5a4fd490e401a30064dbde275154ac81baa31d99ae6ca1ab
9269dc68d46630c0d534bf62a299037fd3a124a6459d97692c25ffb89ccd1f08
9cf4e03defd1e58ff5767c230281c7d72a46bc350e99162281358ad771d1865f
Ce16e9a2d3722bb5f5b3636f307bd386ed24abafea72aeb6dd002d51eeca16df
d52de1c29be8668a69af6c98ad86ec46eb94a3b0329e03d9fb44bb703070a771
You can use the following CLI command to search for all SideWalk samples in our portal:
$ polyswarm link list -f SideWalk
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports