Cybersecurity researchers at ESET have identified a new threat actor utilizing an undocumented backdoor to infiltrate organizations in the education, retail, and government sectors. The advanced persistent threat (APT) group is an emerging international cybercriminals gang that is broadening its targets to include universities, media firms, and one computer retailer in the US. The APT has been named SparklingGoblin by researchers. ESET researchers state that the APT is an offshoot of another previously uncovered threat, Winnti Group, which was first discovered in 2013 by Kaspersky. Sparkling Goblin leverages a novel backdoor technique called SideWalk to penetrate cybersecurity defenses, according to ESET. The SideWalk backdoor is allegedly similar to one used by Winnti called Crosswalk. Both are modular backdoors that can run shellcode sent by the command and control server.
SparklingGoblin previously focused on attacks in Asia, including in Macao, Hong Kong, and Taiwan in 2020. The group is still active in the region, targeting victims via spearphishing campaigns that deliver a range of malicious payloads such as PDFs with LNK files, decoy Adobe Flash Players, and rigged JavaScript files. ESET reportedly became aware of SparklingGoblin in May 2020 while tracking Winnti Group. An initial investigation into SparklingGoblin found that its malware included samples of artifacts from both Winnti and Equation Group. Equation is linked to the US National Security Agency and was exposed by a group called ShadowBrokers in 2017.
Read More: US Media, Retailers Targeted by New SparklingGoblin APT