Chinese state-sponsored advanced persistent threat group SparklingGoblin has leveraged a Linux version of the SideWalk backdoor in its attack against a Hong Kong university in February 2021, according to The Hacker News
Numerous East and Southeast Asian entities, particularly those in the academic sector, have been targeted by SparklingGoblin, which was found to be associated with the Winnti group, also known as APT41, Earth Baku, Wicked Panda, and Barium,
since 2019, with the university impacted by the new SideWalk variant targeted since 2020, a report from ESET showed.
Researchers examining SideWalk Linux also discovered Specter RAT, which was an earlier iteration of SideWalk. While Specter RAT leveraged an old SparklingGoblin command-and-control address and the same ChaCha20 algorithm for configuration decryption as other tools, it was found to use C++, instead of C, and include modules for scheduled task execution and system data gathering.
"Since we have seen the Linux variant only once in our telemetry (deployed at a Hong Kong university in February 2021) one can consider the Linux variant to be less prevalent but we also have less visibility on Linux systems which could explain this. On the other hand, the Specter Linux variant is used against IP cameras and NVR and DVR devices (on which we have no visibility) and is mass spread by exploiting a vulnerability on such devices," said ESET researcher Mathieu Tartare.