A Chinese APT group dubbed SparklingGoblin by ESET cybersecurity firm has targeted a computer retail company in the United States. The backdoor used by the group goes by the name SideWalk, and it has many similarities to another backdoor used by the group, called Crosswalk. “SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command-and-control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server,” stated researchers Thibaut Passilly and Mathieu Tartare from ESET. When the backdoor is successful, it will look something like this:
According to ESET, SparklingGloblin is believed to be connected to the Winnti threat group. The US based computer retailer is not a typical target for the group; however, they have previously targeted academic institutions, media companies, religious organizations, e-commerce platforms, computer and electronics manufacturers, and local governments. As the group expands their tactics their target group will likely expand as well.