ESET(Essential Security against Evolving Threats) researchers have recently discovered a new undocumented modular backdoor named “SideWalk” which being used by an APT group named SparklingGoblin. This backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA.
Since 2019, Winnti Group campaign targeting several Hong Kong universities. During that campaign the attackers mostly made use of the ShadowPad backdoor and the Winnti malware, but also the Spyder backdoor and a backdoor based on DarkShell (an open source RAT)
“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy.” reads the blogpost.
Researchers also observed that attack spans across various targets with particular focus to academic institutions such as:
- Academic sectors in Macao, Hong Kong and Taiwan
- A religious organization in Taiwan
- A computer and electronics manufacturer in Taiwan
- Government organizations in Southeast Asia
- An e-commerce platform in South Korea
- The education sector in Canada
- Media companies in India, Bahrain, and the USA
- A computer retail company based in the USA
- Local government in the country of Georgia
- Unidentified organizations in South Korea and Singapore
SideWalk is characterized as an encrypted shellcode, which is deployed via a .NET loader that takes care of “reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique.”
The next phase of the infection commences with SideWalk establishing communications with the C&C server, with the malware retrieving the encrypted IP address from a Google Docs document.
Indicators of Compromise:
| SHA-1 | Description | ESET detection name |
|---|---|---|
| 1077A3DC0D9CCFBB73BD9F2E6B72BC67ADDCF2AB | InstallUtil-based .NET loader used to decrypt and load SideWalk | MSIL/ShellcodeRunner.L.gen |
| 153B8E46458BD65A68A89D258997E314FEF72181 | ChaCha20-based shellcode loader used to decrypt and load the SideWalk shellcode | Win64/Agent.AQD |
| 829AADBDE42DF14CE8ED06AC02AD697A6C9798FE | SideWalk ChaCha20-encrypted shellcode | N/A |
| 9762BC1C4CB04FE8EAEEF50A4378A8D188D85360 | SideWalk decrypted shellcode | Win64/Agent.AQD |
| EA44E9FBDBE5906A7FC469A988D83587E8E4B20D | InstallUtil-based .NET loader used to decrypt and load Cobalt Strike | MSIL/ShellcodeRunner.O |
| AA5B5F24BDFB049EF51BBB6246CB56CEC89752BF | Cobalt Strike encrypted shellcode | N/A |
Network
update.facebookint.workers[.]dev
cdn.cloudfiare.workers[.]dev
104.21.49[.]220
80.85.155[.]80
193.38.54[.]110
Filenames
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\WebService
C:\windows\system32\tasks\Microsoft\Windows\Ras\RasTaskStart
iislog.tmp
mscorsecimpl.tlb
C_25749.NLS
Microsoft.WebService.targets
SSL certificate
| Serial number | 8E812FCAD3B3855DFD78980CEE0BEB71 |
| Fingerprint | D54AEB62D0102D0CC4B96CA9E5EAADE3846EC470 |
| Subject CN | CloudFlare Origin Certificate |
| Subject O | CloudFlare, Inc. |
| Subject L | San Francisco |
| Subject S | California |
| Subject C | US |
| Valid from | 2020-11-04 09:35:00 |
| Valid to | 2035-11-01 09:35:00 |
| X509v3 Subject Alternative Name | DNS:*.facebookint.com DNS:facebookint.com |
Source: ESET
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1
Posted by: Ramya Natarajan ,Currently pursuing M.Sc. Cyber forensics and Information security in University of Madras. I’m a dedicated and hard-working person with lots of interest in Information security field. My hobbies are updating myself in the field of information security, Surfing internet and reading books.
CyberWorkx 