[BreachExchange] US Media, Retailers Targeted by New SparklingGoblin APT

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Aug 26 08:27:34 EDT 2021 

https://threatpost.com/sparklinggoblin-apt/168928/

An emerging international cybergang is broadening its targets to include
North American media firms, universities and one computer retailer. The
advanced persistent threat (APT) group is new, according to researchers who
dubbed it SparklingGoblin. Also new is a novel backdoor technique, called
SideWalk, used by the APT to penetrate cybersecurity defenses.

SparklingGoblin, according to ESET researchers who named and discovered the
crime group and backdoor, is an offshoot of another APT Winnti Group, first
identified in 2013 by Kaspersky. ESET also said in a Tuesday report that
the SideWalk backdoor is similar to one used by Winnti called Crosswalk.

Crosswalk and SideWalk, according to the ESET, are both “modular backdoors
used to exfiltrate system information and that can run shellcode sent by
the C&C server.”

The group, which previously focused attacks on sectors in Macao, Hong Kong
and Taiwan in 2020, is still active targeting victims via spearphishing
campaigns that include a range of malicious payloads including PDFs (with
LNK files), decoy Adobe Flash Players and booby-trapped JavaScript files.
Researchers also theorize that initial compromises of victims may also
include waterholes.

Birth of an APT

ESET said it first became aware of SparklingGoblin in May 2020 when
tracking the Winnti APT. Researchers said that’s when they stumbled upon an
unusual malware packer used to deliver malicious payloads to victims. An
analysis of the malware inside the packer revealed “samples containing
artifacts from both the Equation Group and Winnti Group,” researchers wrote
in an analysis.

The Equation Group, linked to the U.S. National Security Agency, had many
of its secrets leaked online by a group called ShadowBrokers in 2017.

“The payload in these samples is an implant attributed to Equation. It is
known as PeddleCheap (A.K.A. DanderSpritz) according to the project names
seen in the Shadow Brokers leaks,” ESET researchers wrote.

ESET researchers said further analysis revealed the malware cocktail to be
related to Winnti, but distinctly different in other ways. “Even though
that campaign exhibited links to Winnti Group, the modus operandi was quite
different, and we started tracking it as a separate threat actor
(SparklingGoblin),” wrote ESET.

Those unique indicators included a version of Crosswalk that for the first
time leveraged a PlugX variant called Korplug in conjunction with using
Google Docs as a place to store malicious payloads – called a dead drop
resolver.

“Following the Hong Kong university compromise, we observed multiple
compromises against organizations around the world using similar toolsets
and TTPs. Considering those particular [tactics, techniques and procedures,
or TTP] and to avoid adding to the general confusion around the ‘Winnti
Group’ label, we decided to document this cluster of activity as a new
group, which we have named SparklingGoblin, and that we believe is
connected to Winnti Group while exhibiting some differences,” ESET wrote.

A New Modular Backdoor: SideWalk

Similar to modular backdoor Crosswalk and Winnti, SideWalk is ESET’s name
for SparklingGoblin’s backdoor.

“SideWalk is a modular backdoor that can dynamically load additional
modules sent from its C&C server, makes use of Google Docs as a dead drop
resolver, and Cloudflare workers as a C&C server. It can also properly
handle communication behind a proxy,” researchers said.

The SideWalk backdoor is ChaCha20-encrypted shellcode that is loaded from
disk by SparklingGoblin’s InstallUtil-based .NET loaders, notes
researchers. An InstallUtil (or Installuti.exe) is a Windows system tool
that detects and executes installer components.

“The loader is responsible for reading the encrypted shellcode from disk,
decrypting it and injecting it into a legitimate process using the process
hollowing technique,” researchers wrote.

Process hollowing is a method of executing arbitrary code in the address
space of a separate live process, according to a MITRE description of the
technique. The attack allows the adversary to run malicious code in the
context of a legitimate process.

ESET’s technical analysis covers the data and string pool decryption of the
payload via a deobfuscated version of the RunShellcode method called by the
Windows InstallUtil.exe utility.

Fresh Horizons for a New APT

In its initial campaigns, SparklingGoblin is believed to be after usernames
and IP addresses from a US computer retailer and Canadian schools. The
group has mostly targeted the academic sectors in East and Southeast Asia.

Data targeted by SparklingGoblin includes:

   - IP configuration
   - OS version
   - Username
   - Computer name
   - Filenames
   - Current process ID
   - Current time

Researchers are also unclear where the APT is based. ESET noted that there
are clues  that point to SparklingGoblin possibly operating out of eastern
Asia, based on Chinese language used by the threat actors.

“SparklingGoblin is a group with some level of connection to Winnti Group.
It was very active in 2020 and the first half of 2021, compromising
multiple organizations over a wide range of verticals around the world,”
researchers wrote.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210826/b3cc25ef/attachment.html>

More information about the BreachExchange mailing list