A recently uncovered malware known as SideWalk has been identified as the result of an advanced campaign by a Chinese cyber threat group targeting a U.S. computer retail company. This group, primarily active in East and Southeast Asia, is recognized for its persistent and sophisticated attack methods.
The Slovak cybersecurity firm ESET has attributed this malware to the advanced persistent threat (APT) group named SparklingGoblin, which is believed to have connections to the larger Winnti collective. ESET’s research highlights the similarities between SideWalk and an earlier backdoor, Crosswalk, which was also utilized by SparklingGoblin during a campaign in 2019.
ESET researchers Thibaut Passilly and Mathieu Tartare detailed in a recent report that “SideWalk is a modular backdoor capable of dynamically loading additional modules from its command-and-control (C&C) server.” The malware uniquely employs Google Docs as a dead drop resolver and uses Cloudflare workers as part of its C&C infrastructure. Notably, it also has the capability to effectively communicate while navigating proxy settings.
Since its emergence in 2019, the SparklingGoblin group has executed numerous attacks, particularly targeting academic institutions in regions including Hong Kong as well as various organizations across Bahrain, Canada, India, and the U.S. Their sophisticated tactics have included the use of backdoors such as Spyder and ShadowPad, the latter becoming increasingly favored among many Chinese threat actors.
The SideWalk malware can be described as an encrypted shellcode, delivered through a .NET loader that decrypts the shellcode on disk and injects it into a legitimate process using the process hollowing technique. Once operational, it establishes a connection with its C&C server, retrieving an encrypted IP address embedded in a Google Docs document.
The decrypted address, 80.85.155[.]80, connects to a C&C server employing a self-signed certificate associated with the domain facebookint[.]com, which Microsoft has linked to the BARIUM threat group, overlapping with the Winnti faction. This IP address serves as a fallback, indicating a level of operational flexibility within the malware’s deployment strategy. SideWalk utilizes HTTPS for its C&C communications, enabling it to load arbitrary plugins and gather information about active processes for exfiltration.
The researchers assert that “SideWalk represents a previously undocumented backdoor utilized by SparklingGoblin APT, likely developed by the same team responsible for CROSSWALK, sharing many design elements and implementation frameworks.” As threats evolve, businesses must remain vigilant and proactive in their cybersecurity measures to mitigate the risks posed by such advanced persistent threats.
