A computer retail company based in the U.S. was the target of a previously undiscovered implant called SideWalk. SideWalk is a modular backdoor that can dynamically load additional modules sent from its command-and-control server. It then makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a command-and-control server. This malware was attributed to an advanced persistent threat it attacks under the moniker SparklingGoblin, an adversary believed to be connected to the Winnti umbrella group. This is due to its similarities to another backdoor dubbed Crosswalk that was used by the same threat actor in 2019.
Over the past year, the collective has hit a broad range of organizations and verticals around the world, with a particular focus on the academic institutions located in Bahrain, Canada, Georgia, India, Macao, Singapore, South Korea, Taiwan, and the U.S. Other targeted entities include media companies, religious organizations, e-commerce platforms, computer and electronics manufacturers, and local governments.
SideWalk is characterized as an encrypted shellcode, deployed via a .NET loader that takes care of “reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique.” The next phase of the infection commences with SideWalk establishing communications with the command-and-control server, with the malware retrieving the encrypted IP address from a Google Docs document.
The decrypted IP address is 80.85.155[.]80. That command-and-control server uses a self-signed certificate for the facebookint[.]com domain. This domain has been attributed to BARIUM by Microsoft, which partially overlaps with what we define as Winnti Group. As this IP address is not the first one to be used by the malware, it is considered to be the fallback one. Besides using HTTPS protocol for command-and-control communications, SideWalk is designed to load arbitrary plugins sent from the server, amass information about running processes, and exfiltrate the results back to the remote server.