SparklingGoblin APT Targeted Hong Kong University With New Linux Backdoor

  • A Linux variant of the SideWalk backdoor was used by the SparklingGoblin advanced persistent threat (APT) group to target a Hong Kong (HK) university in February 2021.

    The news comes from cybersecurity researchers from Eset, who also said the same HK university was targeted by SparklingGoblin during student protest events in May 2020.

    According to a blog post published by the firm earlier today, SparklingGoblin is an APT group which targets mostly East and Southeast Asia but was also seen targeting several organizations and verticals worldwide, with a particular focus on the research/academic sector.

    Eset said the group continuously targeted the university over a long period of time, successfully compromising multiple servers, including an email server, a print server, and a server used to manage student schedules and course registrations.

    In the latest campaign spotted by the security researchers, SparklingGoblin would have used a Linux variant of the original backdoor. The Linux version reportedly showed similarities with its Windows counterpart, alongside some technical novelties.

    “The Windows variant of SideWalk goes to great lengths to conceal the objectives of its code. It trimmed out all data and code that was unnecessary for its execution and encrypted the rest,” explained Vladislav Hrčka, the Eset researcher who made the discovery together with Thibault Passilly and Mathieu Tartare.

    “On the other hand, the Linux variants contain symbols and leave some unique authentication keys and other artifacts unencrypted, which makes the detection and analysis significantly easier,” Hrčka added.

    The security researcher further explained that in addition to the multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools, one of the SideWalk Linux samples was discovered using a command and control (C&C) address that SparklingGoblin previously used.

    “Considering the numerous code overlaps between the samples, we believe that we actually found a Linux variant of SideWalk, which we dubbed SideWalk Linux,” Hrčka said.

    “The similarities include the same customized ChaCha20, software architecture, configuration, and dead–drop resolver implementation.”

    A list of indicators of compromise and samples referring to SideWalk Linux and SparklingGoblin can be found in Eset’s GitHub repository.