Press Center

BRATISLAVA, MONTREAL — SEPT. 14, 2022 — ESET researchers have discovered a Linux variant of the SideWalk backdoor, one of the multiple custom implants used by the SparklingGoblin APT group. This variant was first deployed against a Hong Kong university in February 2021 — the same university that had already been targeted by SparklingGoblin during the student protests in May 2020. SparklingGoblin is an APT group with targets mostly in East and Southeast Asia, though ESET Research has seen SparklingGoblin targeting a broad range of organizations and verticals around the world, with a particular focus on the academic sector.

“The SideWalk backdoor is exclusive to SparklingGoblin. In addition to the multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools, one of the SideWalk Linux samples uses a C&C address that was previously used by SparklingGoblin. Considering all of these factors, we attribute with high confidence SideWalk Linux to the SparklingGoblin APT group,” explains Vladislav Hrčka, an ESET researcher who made the discovery along with Thibault Passilly and Mathieu Tartare.

SparklingGoblin first compromised the particular Hong Kong university in May 2020, and we first detected the Linux variant of SideWalk in that university’s network in February 2021. The group continuously targeted this organization over a long period of time, successfully compromising multiple servers, including a print server, an email server, and a server used to manage student schedules and course registrations. This time, it is a Linux variant of the original backdoor. This Linux version exhibits several similarities with its Windows counterpart, along with some technical novelties.

One particularity with SideWalk is the use of multiple threads to execute a single specific task. We noticed that in both variants there are exactly five threads executed simultaneously, with each of them having a specific task. Four commands are not implemented or are implemented differently in the Linux variant. “Considering the numerous code overlaps between the samples, we believe that we actually found a Linux variant of SideWalk, which we dubbed SideWalk Linux. The similarities include the same customized ChaCha20, software architecture, configuration, and dead-drop resolver implementation,” says Hrčka.

“The Windows variant of SideWalk goes to great lengths to conceal the objectives of its code. It trimmed out all data and code that was unnecessary for its execution and encrypted the rest. On the other hand, the Linux variants contain symbols and leave some unique authentication keys and other artifacts unencrypted, which makes the detection and analysis significantly easier,” concludes Hrčka.

For more technical information about SideWalk Linux, check out the blog post “You never walk alone: SideWalk backdoor gets a Linux variant” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 

About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.