Posted on Leave a comment

A New BackDoor Program Targetting US Based Businesses.

ESET(Essential Security against Evolving Threats) researchers have recently discovered a new undocumented modular backdoor named “SideWalk” which being used by an APT group named SparklingGoblin. This backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA.

Since 2019, Winnti Group campaign targeting several Hong Kong universities. During that campaign the attackers mostly made use of the ShadowPad backdoor and the Winnti malware, but also the Spyder backdoor and a backdoor based on DarkShell (an open source RAT)

“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy.” reads the blogpost.

Researchers also observed that attack spans across various targets with particular focus to academic institutions such as:

  • Academic sectors in Macao, Hong Kong and Taiwan
  • A religious organization in Taiwan
  • A computer and electronics manufacturer in Taiwan
  • Government organizations in Southeast Asia
  • An e-commerce platform in South Korea
  • The education sector in Canada
  • Media companies in India, Bahrain, and the USA
  • A computer retail company based in the USA
  • Local government in the country of Georgia
  • Unidentified organizations in South Korea and Singapore

SideWalk is characterized as an encrypted shellcode, which is deployed via a .NET loader that takes care of “reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique.”

The next phase of the infection commences with SideWalk establishing communications with the C&C server, with the malware retrieving the encrypted IP address from a Google Docs document.

Indicators of Compromise:

SHA-1DescriptionESET detection name
1077A3DC0D9CCFBB73BD9F2E6B72BC67ADDCF2ABInstallUtil-based .NET loader used to decrypt and load SideWalkMSIL/ShellcodeRunner.L.gen
153B8E46458BD65A68A89D258997E314FEF72181ChaCha20-based shellcode loader used to decrypt and load the SideWalk shellcodeWin64/Agent.AQD
829AADBDE42DF14CE8ED06AC02AD697A6C9798FESideWalk ChaCha20-encrypted shellcodeN/A
9762BC1C4CB04FE8EAEEF50A4378A8D188D85360SideWalk decrypted shellcodeWin64/Agent.AQD
EA44E9FBDBE5906A7FC469A988D83587E8E4B20DInstallUtil-based .NET loader used to decrypt and load Cobalt StrikeMSIL/ShellcodeRunner.O
AA5B5F24BDFB049EF51BBB6246CB56CEC89752BFCobalt Strike encrypted shellcodeN/A

Network

update.facebookint.workers[.]dev
cdn.cloudfiare.workers[.]dev
104.21.49[.]220
80.85.155[.]80
193.38.54[.]110

Filenames

C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\WebService
C:\windows\system32\tasks\Microsoft\Windows\Ras\RasTaskStart
iislog.tmp
mscorsecimpl.tlb
C_25749.NLS
Microsoft.WebService.targets

SSL certificate

Serial number8E812FCAD3B3855DFD78980CEE0BEB71
FingerprintD54AEB62D0102D0CC4B96CA9E5EAADE3846EC470
Subject CNCloudFlare Origin Certificate
Subject OCloudFlare, Inc.
Subject LSan Francisco
Subject SCalifornia
Subject CUS
Valid from2020-11-04 09:35:00
Valid to2035-11-01 09:35:00
X509v3 Subject Alternative NameDNS:*.facebookint.com
DNS:facebookint.com

Source: ESET

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Posted by: Ramya Natarajan ,Currently pursuing M.Sc. Cyber forensics and Information security in University of Madras. I’m a dedicated and hard-working person with lots of interest in Information security field. My hobbies are updating myself in the field of information security, Surfing internet and reading books.

Leave a Reply