In recent efforts initiated by an APT group called SparklingGoblin, SideWalk, a new modular backdoor was uncovered. The APT was first detected in May 2020, while another group employing the CrossWalk backdoor assaults on Hong-Kong based colleges in 2019 were monitored. However, no relationship could be established back then.
SideWalk and CrossWalk affairs
The new backdoor SideWalk bears some characteristics with the backdoor CrossWalk from Winnti group, according to a new report.
- Although there is a variance in codes, the architectural similarities of Side Walk and CrossWalk are anti-tampering, threading model, data layout, and management of data during execution.
- Both doors are modular in nature by their features, as further plugins could improve their capabilities.
- In their campaigns, SideWalk and Crosswalk were identified with the Motnug loader, a shellcode style-loader.
- Moreover, by stealing the user token, both of them can access proxy configurations and communicate with their C&C servers.
Researchers have concluded that the Sparklinggoblin APT is another subgroup of Winnti group that uses the SideWalk backdoor.
Attack history of the SparklingGoblin
SparklingGoblin aims to target a wide variety of organizations worldwide. It targets a number of other industries, but mainly the academic sector.
- Some of the targets are the academic sectors in Macao, Hong Kong, and Taiwan, along with a religious organization, a maker of electronics in Taiwan, and government bodies in Southeast Asia.
- It also has targeted e-commerce companies in South Korea, education establishments in Canada, media companies in India, Bahrain, and the United States, retail enterprises in the U.S., municipal governments in Georgia, and unidentified companies in South Korea and Singapore.
SparklingGoblin is an extremely active threat group attacking a variety of organizations. The Winnti group can use this backdoor in the near future with links between SideWalk and CrossWalk and security analysts have to monitor it. In the meanwhile, security services must keep a watch on this threat in order to avoid future attacks.
To read more, please check eScan Blog
