A new Linux version of the SideWalk backdoor has been deployed against a Hong Kong university in a persistent attack that's compromised multiple servers key to the institution's network environment.
Researchers from ESET attributed the attack and the backdoor to SparklingGoblin, an advanced persistent threat (APT) group that targets organizations mostly in East and Southeast Asia, with a focus on the academic sector, they said in a blog post published Sept. 14.
The APT also has been linked to attacks on a broad range of organizations and vertical industries around the world, and is known for using the SideWalk and Crosswalk backdoors in its arsenal of malware, researchers said.
In fact, the attack on the Hong Kong university is the second time SparklingGoblin has targeted this particular institution; the first was in May 2020 during student protests, with ESET researchers first detecting the Linux variant of SideWalk in the university's network in February 2021 without actually identifying it as such, they said.
The latest attack appears to be part of a continuous campaign that initially may have started with the exploitation either of IP cameras and/or network video recorder (NVR) and DVR devices, using the Specter botnet or through a vulnerable WordPress server found in the victim's environment, researchers said.
"SparklingGoblin has continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," researchers said.
Moreover, it now appears that the Specter RAT, first documented by researchers at 360 Netlab, is actually a SideWalk Linux variant, as shown by multiple commonalities between the sample identified by ESET researchers, they said.
SideWalk Links to SparklingGoblin
SideWalk is a modular backdoor that can dynamically load additional modules sent from its command-and-control (C2) server, makes use of Google Docs as a dead-drop resolver, and uses Cloudflare as a C2 server. It can also properly handle communication behind a proxy.
There are differing opinions among researchers as to which threat group is responsible for the SideWalk backdoor. While ESET links the malware to SparklingGoblin, researchers at Symantec said it is the work of Grayfly (aka GREF and Wicked Panda), a Chinese APT active since at least March 2017.
ESET believes that SideWalk is exclusive to SparklingGoblin, basing its "high confidence" in this assessment on "multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools," researchers said. One of the SideWalk Linux samples also uses a C2 address (66.42.103[.]222) that was previously used by SparklingGoblin, they added.
In addition to using the SideWalk and Crosswalk backdoors, SparklingGoblin also is known for deploying Motnug and ChaCha20-based loaders, the PlugX RAT (aka Korplug), and Cobalt Strike in its attacks.
Inception of SideWalk Linux
ESET researchers first documented the Linux variant of SideWalk in July 2021, dubbing it "StageClient" because they did not at the time make the connection to SparklingGoblin and the SideWalk backdoor for Windows.
They eventually linked the malware to a modular Linux backdoor with flexible configuration being used by the Specter botnet that was mentioned in a blog post by researchers at 360 Netlab, finding "a huge overlap in functionality, infrastructure, and symbols present in all the binaries," the ESET researchers said.
"These similarities convince us that Specter and StageClient are from the same malware family," they added. In fact, both are just Linux various of SideWalk, researchers eventually found. For this reason, both are now referred to under the umbrella term SideWalk Linux.
Indeed, given the frequent use of Linux as the basis for cloud services, virtual machine hosts, and container-based infrastructure, attackers are increasingly targeting Linux environments with sophisticated exploits and malware. This has given rise to Linux malware that's both unique to the OS or built as a complement to Windows versions, demonstrating that attackers see a growing opportunity to target the open source software.
Comparison to Windows Version
For its part, SideWalk Linux has numerous similarities to the Windows version of the malware, with researchers outlining only the most "striking" ones in their post, researchers said.
One obvious parallel is the implementations of ChaCha20 encryption, with both variants using a counter with an initial value of "0x0B" — a characteristic previously noted by ESET researchers. The ChaCha20 key is exactly the same in both variants, strengthening the connection between the two, they added.
Both versions of SideWalk also use multiple threads to execute specific tasks. They each have exactly five threads — StageClient::ThreadNetworkReverse, StageClient::ThreadHeartDetect, StageClient::ThreadPollingDriven, ThreadBizMsgSend, and StageClient::ThreadBizMsgHandler — executed simultaneously that each perform a specific function intrinsic to the backdoor, according to ESET.
Another similarity between the two versions is that the dead-drop resolver payload — or adversarial content posted on Web services with embedded domains or IP addresses — is identical in both samples. The delimiters — characters chosen to separate one element in a string from another element — of both versions also are identical, as well as their decoding algorithms, researchers said.
Researchers also found key differences between SideWalk Linux and its Windows counterpart. One is that in SideWalk Linux variants, modules are built in and cannot be fetched from the C2 server. The Windows version, on the other hand, has built-in functionalities executed directly by dedicated functions within the malware. Some plug-ins also can be added through C2 communications in the Windows version of SideWalk, researchers said.
Each version performs defense evasion in a different way as well, researchers found. The Windows variant of SideWalk "goes to great lengths to conceal the objectives of its code" by trimming out all data and code that was unnecessary for its execution, encrypting the rest.
The Linux variants make detection and analysis of the backdoor "significantly easier" by containing symbols and leaving some unique authentication keys and other artifacts unencrypted, researchers said.
"Additionally, the much higher number of inlined functions in the Windows variant suggests that its code was compiled with a higher level of compiler optimizations," they added.