ESET researchers have discovered a Linux variant of the SideWalk backdoor used by the SparklingGoblin APT group. SparklingGoblin mainly chooses its targets from East and Southeast Asia.

ESET Research has found that SparklingGoblin targets a wide range of organizations and industries around the world, with a particular focus on the education sector. According to research data, the SideWalk backdoor was deployed against a university in Hong Kong in February 2021. The university was again targeted by the SparklingGoblin during the student protests in May 2020.

ESET researcher Vladislav Hrčka, who discovered this variant with Thibault Passilly and Mathieu Tartare, said: “The SideWalk backdoor is exclusive to SparklingGoblin. In addition to the multiple code similarities between SideWalk’s Linux variants and the various SparklingGoblin tools, one of the the SideWalk Linux instances also have a C&C address previously used by SparklingGoblin Given all these factors, we are convinced that SideWalk Linux is associated with the SparklingGoblin APT group.

After SparklingGoblin compromised the said University of Hong Kong in May 2020, the Linux variant of SideWalk was first spotted on that university’s network in February 2021. The group focused on this organization for a long time and managed to run multiple servers. infiltrate, including a print server, an email server, and a server used to manage student programs and course enrollments. This one is a Linux variant of the original backdoor. This version of Linux shares several similarities with its Windows counterpart, along with some technical innovations.

A feature of SideWalk is the use of multiple threads to perform a single specific task. We noticed that in both variants there are exactly five threads running simultaneously, each with a specific task. In the Linux variant, the four commands are not implemented or are implemented differently. The Windows variant of SideWalk does everything it can to hide the purposes of the code. To that end, it cuts off all unnecessary data and code for execution and encrypts the rest. Linux variants, on the other hand, contain symbols and leave some unique authentication keys and other structures unencrypted, making detection and analysis significantly easier.