An APT group known as SparklingGoblin has found SideWalk, a new modular backdoor, in recent campaigns. In May 2020, while investigating assaults on Hong Kong colleges by another organization that utilized the CrossWalk backdoor in 2019, the APT was discovered. However, no link could be found at the time.
CrossWalk And SideWalk
According to a current source, the new SideWalk backdoor is comparable to Winnti’s CrossWalk backdoor in numerous ways.
- Despite the differences in their programs, SideWalk and CrossWalk share architectural features like anti-tampering methods, threading models, data structure, and data management during execution.
- Both backdoors have a modular design since new plugins might increase their capabilities, based on characteristics.
- Motnug loader, a sort of shellcode loader, has been discovered in the campaigns of Crosswalk and SideWalk.
- Furthermore, both may steal user tokens and utilize them to interact with their Command and control servers to get proxy settings.
ESET researchers believe that SparklingGoblin APT is a subset of the Winnti gang that uses the SideWalk backdoor with moderate to high confidence.
SparklingGoblin’s Assault History
SparklingGoblin is a global campaign that targets a wide range of organizations. It has a variety of goals, although it is largely focused on the education community.
- Academic institutions in Hong Kong, Macau, and Taiwan, as well as a religious organization as well as an electronics firm in Taiwan, and government agencies in Southeast Asia, are among the targets.
- They have also attacked e-commerce companies in South Korea, educational institutions in Canada, media companies in Bahrain, India, and the United States, retail companies in the United States, Georgian municipal government, and unknown companies in Singapore and South Korea.
Final Notes
SparklingGoblin is a well-known threat group that targets a wide range of companies throughout the world. The Winnti gang might exploit these backdoors in the coming years now that linkages between SideWalk and CrossWalk have been created, thus security experts should be on the lookout. Meanwhile, security authorities must maintain a close watch on this risk in order to avoid future assaults.
