A computer retail company in the US was targeted by a previously unknown SideWalk backdoor. The attacks were attributed to a Chinese advanced persistent threat group.
ESET linked SideWalk to the SparklingGoblin APT that is connected to a wider hacker collective known as Winnti Group. The attribution was made based on similarities to Crosswalk, another backdoor that was used by the same threat actor in 2019.
“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command-and-control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server,” ESET researchers Thibaut Passilly and Mathieu Tartare said in a report on Tuesday. “It can also properly handle communication behind a proxy.”
Since 2019, SparklingGoblin has been targeting Hong Kong universities using ShadowPad and Spyder, with the latter known to be very popular with Chinese threat actors.
Over the past year, the group has hit a wide range of organizations and industries, but the same main focus is on academic institutions. Its targets were located in Bahrain, Canada, Georgia, India, Macao, Singapore, South Korea, Taiwan, and the U.S.
Other targeted entities include banks, e-commerce companies, financial institutions, and real estate developers.
Most recently it was used in an attack against a U.S.-based computer retail business.
“SideWalk is a previously undocumented backdoor used by the SparklingGoblin APT group. It was most likely produced by the same developers as those behind CROSSWALK, with which it shares many design structures and implementation details,” the researchers concluded.
SideWalk, being an encrypted shellcode, is deployed by a .NET loader. The loader is responsible for “reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique.”
The next phase of the infection begins when SideWalk sends an HTTPS request to the C&C server to retrieve an encrypted IP address from a Google Docs document.
“The decrypted IP address is 80.85.155[.]80. That C&C server uses a self-signed certificate for the facebookint[.]com domain.”
The domain has been linked by Microsoft to a threat actor known as BARIUM, which partially overlaps with what ESET defines as Winnti. Since this IP address is not the first one to be used by the malware, researchers consider it to be the fallback one.
Besides relying on HTTPS for requests to the C&C server, SideWalk can load arbitrary plugins and exfiltrate the data about running processes to the remote server.