One of the state-supported hacker groups in China has reportedly developed a Linux variant of a
backdoor known as SideWalk backdoor targeting Windows systems in the academic sectors.
The variant of sidewalk is believed to be assigned as a part of a Cyberespionage campaign by
Earth Baku, an advanced persistent threat (APT) group with connections to APT41, termed as
SparklingGoblin it is working against the entities based in the Indo-Pacific region.
Sidewalk Linux Backdoor was detected in the past by security researchers back in 2020. Sidewalk Backdoor, initially tracked as Stageclient was observed at the cybersecurity company
ESET in May 2020, targeting the servers in a university in a university in Hong Kong. The group
targeted in the same university in February 2021.
“The group continuously targeted this organization over a long period of time, successfully
compromising multiple key servers, including a print server, an email server, and a server used to
manage students schedules and course registrations” ESET stated in reports shared with The
Hacker News.
In an analysis carried out by ESET, it was observed that StageClient and Spectre botnet (a subset
of a security vulnerability) are both in fact Linux variants of SideWalk.
ESET also observed the SideWalk variants for Linux and Windows, in which they detected that
both the variants hold a great many similarities in their infrastructures and in the way both the malwares function deducing it is in fact a Linux variant of SideWalk as well.
One of the similarities of the two malwares being connected to Sidewalk was they both used the
same encryption key to transport data from the infected device to the C&C servers.
Secondly, it was observed that both the variants used the Cha Cha20 encryption algorithm to "use a counter with an initial value of 0x0B”, something that is particular to SideWalk.
Lastly, it was observed that for both the Window and Linux, the malware uses the exact five
threats given below, which are programmed for specific tasks:
[StageClient::ThreadNetworkReverse] – fetching proxy configurations for alternate connections
to the command and control (C2) server.
[StageClient::ThreadHeartDetect] – close connection to C2 server when commands are not
received in the specified time.
[StageClient::ThreadPollingDriven] – send heartbeat commands to the C2 server if there is no info to
deliver.
[StageClient::ThreadBizMsgSend] – check for data to be sent in message queues for all other
threads and process it.
[StageClient::ThreadBizMsgHandler] – check for pending messages from the C2 server
Although SparklingGoblin actively targets the regions of East and Southeast Asia, it has now been going global. hitting organizations outside the given regions.