25 August 21, 18:42
Quote:An emerging international cybergang is broadening its targets to include North American media firms, universities and one computer retailer. The advanced persistent threat (APT) group is new, according to researchers who dubbed it SparklingGoblin. Also new is a novel backdoor technique, called SideWalk, used by the APT to penetrate cybersecurity defenses.
SparklingGoblin, according to ESET researchers who named and discovered the crime group and backdoor, is an offshoot of another APT Winnti Group, first identified in 2013 by Kaspersky. ESET also said in a Tuesday report that the SideWalk backdoor is similar to one used by Winnti called Crosswalk.
Crosswalk and SideWalk, according the ESET, are both “modular backdoors used to exfiltrate system information and that can run shellcode sent by the C&C server.”
The group, which previously focused attacks on sectors in Macao, Hong Kong and Taiwan in 2020, is still active targeting victims via spearphishing campaigns that include a range of malicious payloads including PDFs (with LNK files), decoy Adobe Flash Players and booby-trapped JavaScript files. Researchers also theorize that initial compromises of victims may also include waterholes.
ESET said it first became aware of SparklingGoblin in May 2020 when tracking the Winnti APT. Researchers said that’s when they stumbled upon an unusual malware packer used to deliver malicious payloads to victims. An analysis of the malware inside the packer revealed “samples containing artifacts from both the Equation Group and Winnti Group,” researchers wrote in an analysis.
Read more: US Media, Retailers Targeted by New SparklingGoblin APT