Malware for Windows SideWalk adapted for Linux
October 6th, 2022 - Written By CyberLabs
It was discovered that a Linux version of the SideWalk backdoor had been developed, allegedly by the state-sponsored organization SparklingGoblin in China (Earth Baku). The SideWalk is a multipurpose backdoor that leverages Cloudflare as its command-and-control (C2) server and Google Docs as a dead-drop resolver. It can also load new modules that are transmitted from the C2 server.
Researchers discovered SideWalk Linux has previously been used against numerous targets, but telemetry data reveals that the newly discovered variation was only used against one victim in February 2021—a university in Hong Kong. Based on substantial similarities between the functionality, infrastructure, and symbols in the StageClient binaries, Specter RAT is also a SideWalk Linux derivative. There are overlaps with C2 instructions, configuration structure, and encryption techniques. Changes from C to C++, the ability to send and receive messages over HTTP, and new components are notable deviations.
With regard to ChaCha20 encryption, software design, and configuration, as well as the same payload transmitted through the dead-drop resolver string contained in a Google Docs file, surprising characteristics were found with the Windows version. Although the modules for the Linux variant are generated, the C2 server cannot get them. While the Linux variant exposes some specific authentication keys and other artifacts unprotected to facilitate identification and analysis, the Windows variant also employs a variety of evasion methods. However, the group also has access to implants seen in attacks linked to other Chinese hacker groups. The SparklingGoblin has the ability to create malware tailored to its purposes.
Recommendation
Scan your network for the Indicators of Compromises and prevent them.
Sources
https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/
Related,
SharkBot Malware Returned to Google Play Store
Symbiote Malware infects all running processes on Linux Systems
