chinese state hackers create linux variant for sidewalk backdoor

State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector.

The malware is attributed with high confidence to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group.

Targeting academic sector

The SideWalk Linux backdoor has been observed in the past, initially being tracked as StageClient by security researchers at cybersecurity company ESET.

An early variant of the malware was spotted by researchers at 360 Netlab, the threat intelligence team at Chinese internet security company Qihoo 360, and detailed two years ago in a blog post about the Specter botnet hitting IP cameras.

After analyzing Specter and StageClient, ESET researchers determined that both malware pieces have the same root and are Linux variants of SideWalk.

In 2021, researchers at Trend Micro documented new tools from a cyberespionage campaign attributed to APT41/Earth Baku, including the SideWalk backdoor, which they track as ScrambleCross.

ESET notes in a report today that while SideWalk Linux has been used against multiple targets in the past, their telemetry data shows that the variant they discovered was deployed against only one victim in February 2021, a university in Hong Kong.

SparkGoblin focused on the same target in the past, compromising the same university in May 2020, during the students’ protests.

“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations” – ESET

Although SparklingGoblin is mostly attacking targets in East and Southeast Asia, the group has also been hitting organizations outside these regions, its focus being on the academic sector.

SideWalk for Windows ready for Linux

Looking at the SideWalk variants for Linux and Windows, ESET noticed “striking” similarities in the way they function, the implementation of multiple components, and the payloads dropped on the compromised system.

The researchers say that both variants implemented the ChaCha20 encryption algorithm to “use a counter with an initial value of 0x0B,” something that is particular to SideWalk.

On both Windows and Linux, the malware uses the same five threads, executed simultaneously, for specific tasks:

  • [StageClient::ThreadNetworkReverse] – fetching proxy configurations for alternate connections to the command and control (C2) server
  • [StageClient::ThreadHeartDetect] – close connection to C2 server when commands are not received in the specified time
  • [StageClient::ThreadPollingDriven] – send heartbeat commands to C2 server if there is no info to deliver
  • [StageClient::ThreadBizMsgSend] – check for data to be sent in message queues for all other threads and process it
  • [StageClient::ThreadBizMsgHandler] – check for pending messages from the C2 server

ESET researchers also found that both Linux and Windows variants for SideWalk had the same payload delivered through the dead-drop resolver string hosted in a Google Docs file.

chinese state hackers create linux variant for sidewalk backdoor

String hosted in Google Docs for SideWalk to fetch payload source: ESET

Another piece of evidence connecting the two SideWalk variants to the same threat actor was that they both used the same encryption key to transport data from the infected machine to the C2 server.

SparklingGoblin has the capabilities to develop malware adapted to its needs, as evidenced by the SideWalk Linux variant. However, the group also has access to implants observed in operations attributed to other Chinese hacking groups.

ESET researchers say that SparklingGoblin has access to the ShadowPad backdoor and Winnti malware.

Keyword: Chinese state hackers create Linux variant for SideWalk backdoor

TECH'S NEWS RELATED

Nier Automata Anime Will Premiere In January 2023, Promo Videos Have Been Released

FIFA 23 PS5 Bundle available starting 30th September

Sony Interactive Entertainment Singapore Private Limited (SIES) has announced that the PlayStation 5 Console EA Sports FIFA 23 Bundle will be available for purchase on the 30th September. The suggested retail of the FIFA bundle for purchase is RM2 769 and includes the following: PlayStation 5 console DualSense Wireless Controller ...

View more: FIFA 23 PS5 Bundle available starting 30th September

Love Live! announced brand new game Love Live! School Idol Festival 2 Miracle Live!

During the SIF Series Thanksgiving Festival held on the 25th September, they announced a new game for the Love Live! franchise titled Love Live! School Idol Festival 2 Miracle Live! Love Live School Idol Festival 2 Miracle Live! Or SIF 2 for short is going to be a rhythm game ...

View more: Love Live! announced brand new game Love Live! School Idol Festival 2 Miracle Live!

Aether Gazer announced Global CBT starts October 11th

Yostar has announced that the Closed Beta Test for the global version Aether Gazer will begin on October 11th, 2022 at 10:00 AM (UTC -7). From the official global twitter of Aether Gazer, The CBT will last for 10 days and will end on October 20th, 2022. Email invitations for ...

View more: Aether Gazer announced Global CBT starts October 11th

Sky’s the limit: how to successfully embrace the cloud on your scale-up journey

Written by Paul Gampe, CTO of Console Connect When setting up a business, entrepreneurs are increasingly building their company operations on the cloud. In many cases, the first stage of bringing an innovative app or solution to life involves choosing a cloud provider that can do the job but ...

View more: Sky’s the limit: how to successfully embrace the cloud on your scale-up journey

Nexer Insight partners with SmartViz to create smart building solutions

Nexer Insight, an Elite Microsoft Azure, Internet of Things and Advanced Analytics partner, has announced a new collaboration with smart building digital twin company, SmartViz, to help organisations boost building performance and user experience. Nexer’s consulting and systems integration capabilities, combined with SmartViz’s unique proprietary technology, will enable building ...

View more: Nexer Insight partners with SmartViz to create smart building solutions

Code Ninjas celebrates summer of growth with new locations in the pipeline

Code Ninjas, the international coding franchise for kids, continues to expand across key areas of the UK, with the latest launches outside of the Greater London area. Following another summer of record enrolments for the brand’s coding and game-building camps, the support team and UK network are celebrating the ...

View more: Code Ninjas celebrates summer of growth with new locations in the pipeline

Zhamak Dehghani sparks debate over Data Mesh concept on day one of Big Data LDN

More than 170 exhibitors take to the show floor – double the show’s previous record One of the most talked about trends in data, the Data Mesh concept, took centre stage in the opening keynote from Zhamak Dehghani, on the first day of Big Data LDN (London) 2022 – ...

View more: Zhamak Dehghani sparks debate over Data Mesh concept on day one of Big Data LDN

Second Amazon Prime Day Sale to Kick Off on October 11, 12 For Early Holiday Shoppers

Interpol Slaps Terra Co-Founder Do Kwon With Red Notice: Report

PCI Pal launches open banking payments for contact centres

Can big data help sari-sari stores navigate the looming supply crisis?

Credential stuffing accounts for one-third of global login attempts, Okta finds

Hyundai nearly made a mid-engine supercar to launch its N brand

Perodua launches Ativa Hybrid leasing programme – RM500/month for 5 years

Samsung Has a Prototype Toilet That Can Turn Your Poop Into Ashes

Tianma Microelectronics speeds up investment in automotive display production

A new ‘common sense’ test for AI could lead to smarter machines

Apple rolls out firmware update for AirPods Pro 2

Ant Group’s Alipay to boost cashless travel in South Korea through alliance with Thai, Malaysian, Philippines payment providers

OTHER TECH NEWS

;