APT SparklingGoblin Attacks Higher Education Institutions Around The World

Cybersecurity experts at antivirus company ESET have discovered the SideWalk modular backdoor used by an APT group called SparklingGoblin. This backdoor has a lot in common with the CROSSWALK backdoor used by the group.

SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, use Google Docs to activate the next stage of the attack (dead drop resolver), and the Cloudflare Workers platform as the C&C server. It can also handle proxy communication correctly.

The hacker group primarily targets the academic sector in East and Southeast Asia, but has also shown increased interest in education in Canada, media companies in the US, and at least one unnamed computer company in the US.

It is not known which companies were attacked and when the hacks occurred. It is also unknown where the group is from, however ESET noted that some of the APT procedures were described in a Chinese language blog, suggesting that it may be based in East Asia.

ESET classifies this group as APTs that use "continuous, covert and sophisticated hacking methods to gain access to and stay inside a system for extended periods of time with potentially devastating consequences."

Previous Post Next Post