Malware Aimed at Hong Kong University After Protests, Eset Researchers Say Prajeet Nair (@prajeetspeaks) • September 15, 2022 A pro-democracy protester in Hong Kong on Jan. 19, 2020 (Image: Etan Liam/CC BY-ND 2.0)
Chinese state-backed cyber spies developed a Linux variant of a Windows backdoor to target a Hong Kong university in the months after Beijing squashed pro-democracy protests in the city.
The threat group, called SparklingGoblin by security researchers at Eset, deployed the custom-built implant in February 2021. It had targeted the same university during May of the previous year, while protestors still filled the streets.
“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations,” Eset says.
Eset calls the backdoor SideWalk in both its Windows and Linux variants. The malicious code is a multipurpose backdoor that loads modules sent from a command-and-control server by using Google Docs as a dead-drop resolver and Cloudflare Workers as its command-and-control servers.
The researchers could not confirm the initial infection vector for the Linux variant.
Before determining that the Linux version of the backdoor was in fact SideWalk, the researchers documented it as StageClient. After probing the code further, they determined that both malware pieces are the Linux variant of SideWalk. The Linux code, in turn, has “striking” functional similarities to the Windows version, including initiating multiple operating system threads and assigning each on a specific task, such as initiating a connection to the C2 server. Another similarity is that both use ChaCha20 to encrypt communications with the C2 server. Each uses a custom algorithm for an anti-tampering technique that compares hashes of values such as a checksum computed after initial exaction or the names of DLLs the malware intends to add to the shellcode.
The researchers also found that the threat group had updated the backdoor for its Linux environment. The operators switched its code from the C language to C++ to better implement a modular architecture.
They also added the ability to exchange messages over HTTP, replaced downloadable plug-ins with precompiled modules and added new commands and modules.
SparklingGoblin is not the only group to use SideWalk. It shares some tactics, techniques and procedures with threat groups APT41 and BARIUM.
In 2021, Symantec found Grayfly, the espionage arm of APT41, using the same backdoor. The Chinese group targets telecom companies and other organizations in regions of the U.S., Taiwan, Vietnam and Mexico (see: China-Linked Grayfly Gang Spotted Using Sidewalk Backdoor).