Security News > 2022 > September > Linux variant of the SideWalk backdoor discovered

ESET researchers have discovered a Linux variant of the SideWalk backdoor, one of the multiple custom implants used by the SparklingGoblin APT group.

Commands with different or missing implementation in the Linux version of SideWalk.

"The SideWalk backdoor is exclusive to SparklingGoblin. In addition to the multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools, one of the SideWalk Linux samples uses a C&C address that SparklingGoblin previously used. Considering all of these factors, we attribute with high confidence SideWalk Linux to the SparklingGoblin APT group," explains Vladislav Hrčka, an ESET researcher who made the discovery along with Thibault Passilly and Mathieu Tartare.

SparklingGoblin first compromised the particular Hong Kong university in May 2020, and we first detected the Linux variant of SideWalk in that university's network in February 2021.

"Considering the numerous code overlaps between the samples, we believe that we found a Linux variant of SideWalk, which we dubbed SideWalk Linux. The similarities include the same customized ChaCha20, software architecture, configuration, and dead-drop resolver implementation," says Hrčka.

"The Windows variant of SideWalk goes to great lengths to conceal the objectives of its code. It trimmed out all unnecessary data and code for its execution and encrypted the rest. On the other hand, the Linux variants contain symbols and leave some unique authentication keys and other unencrypted artifacts, making the detection and analysis significantly easier," says Hrčka.

News URL

https://www.helpnetsecurity.com/2022/09/15/linux-variant-sidewalk-backdoor/