Threat Research

You never walk alone: The SideWalk backdoor gets a Linux variant

Securonix

Researchers at ESET identified a Linux variant of the SideWalk backdoor used by SparklingGoblin against a Hong Kong university in February 2021, and found close ties to Specter RAT and Windows SideWalk variants. The campaign reveals shared C2 infrastructure, ChaCha20-based encryption, and similar network and modular architectures across Linux and Windows forms. #SideWalkLinux #SparklingGoblin #SpecterRAT #HongKongUniversity #StageClient

Keypoints

  • Discovery: ESET uncovered a Linux variant of SideWalk (SideWalk Linux) linked to SparklingGoblin; Specter RAT is another Linux variant with major overlaps.
  • Attribution: SideWalk Linux is attributed to SparklingGoblin with high confidence; one C2 address (66.42.103[.]222) was previously used by SparklingGoblin.
  • Victimology: Only one public victim is known—a Hong Kong university targeted since 2020, with multiple key servers compromised (print server, email server, student scheduling system).
  • Technical overlap: SideWalk Linux shares ChaCha20-based encryption, Google Docs dead-drop resolver, Cloudflare-based C2, and multi-threaded architecture with its Windows counterpart and Specter.
  • Linux-specific notes: SideWalk Linux uses built-in modules (e.g., SysInfoMgr, TaskSchedulerMod) and HTTP-based messaging; Windows uses plugins fetched from C2.
  • Decryption and configuration: ChaCha20-based decryption with an integrity check; configuration layout and network protocol mirror the Windows variant in many aspects.
  • MITRE-aligned behaviors: network discovery, encrypted C2, and application-layer protocols are evident in the Linux variant, reinforcing attribution to SparklingGoblin.

MITRE Techniques

  • [T1587.001] Develop Capabilities: Malware – ‘SparklingGoblin uses its own malware arsenal.’
  • [T1016] System Network Configuration Discovery – ‘SideWalk Linux has the ability to find the network configuration of the compromised machine, including the proxy configuration.’
  • [T1071.001] Application Layer Protocol: Web Protocols – ‘SideWalk Linux communicates via HTTPS with the C&C server.’
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – ‘SideWalk Linux uses ChaCha20 to encrypt communication data.’

Indicators of Compromise

  • [SHA-1] SideWalk Linux (StageClient variant) – FA6A40D3FC5CD4D975A01E298179A0B36AA02D4E, and 2 more hashes
  • [Filename] – ssh_tunnel1_0 – Linux/SideWalk.L, and hw_ex_watchdog.exe – Linux/SideWalk.B
  • [Domain] rec.micosoft[.]ga – SideWalk C&C server (StageClient variant)
  • [IP] 172.67.8[.]59 – SideWalk C&C server (StageClient variant)
  • [IP] 66.42.103[.]222 – SideWalk C&C server (Specter variant, first seen 2020-09-25)

Read more: https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/