Cyber campaign by SparklingGoblin updates Linux version of SideWalk backdoor

Published on Sep 17, 2022

Using advanced Linux malware, researchers link the APT to an attack on a Hong Kong university.

New Linux versions of the SideWalk backdoor have been deployed against Hong Kong universities in persistent attacks that compromise multiple servers.

SparklingGoblin is an advanced persistent threat (APT) group that targets organizations mostly in East and Southeast Asia, concentrating on the academic sector, ESET researchers said in a blog post published Sept. 14.

APT has also been linked to attacks on a variety of organizations and vertical industries around the world, as well as using the SideWalk and Crosswalk backdoors in its malware arsenal.

The attack on the Hong Kong university is actually the second time SparklingGoblin has targeted this institution; the first attack was in May 2020 during student protests, which ESET researchers discovered in February 2021 that the Linux version of SideWalk had been installed on the university’s network without identifying it as such.

The latest attack appears to be part of a continuous campaign that may have begun with the exploitation of IP cameras and/or network video recorder (NVR) and DVR devices, either using the Specter botnet or through a vulnerable WordPress server found in the victim’s environment, researchers said.

Researchers said SparklingGoblin has continuously targeted this organization over a long period of time, successfully compromising a print server, an email server, and a server used to manage student schedules and course registrations.

Additionally, the Specter RAT, first identified by 360 Netlab researchers, appears to be a SideWalk Linux variant, as evidenced by multiple similarities between the sample identified by ESET researchers.