Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

The SideWalk may be as dangerous as the CROSSWALK

August 25, 2021

Meet SparklingGoblin, a member of the Winnti household

ESET researchers have lately found a brand new undocumented modular backdoor, SideWalk, being utilized by an APT group we’ve named SparklingGoblin; this backdoor was used throughout certainly one of SparklingGoblin’s current campaigns that focused a pc retail firm based mostly within the USA. This backdoor shares a number of similarities with one other backdoor utilized by the group: CROSSWALK.

SideWalk is a modular backdoor that may dynamically load further modules despatched from its C&C server, makes use of Google Docs as a useless drop resolver, and Cloudflare staff as a C&C server. It could additionally correctly deal with communication behind a proxy.

SparklingGoblin, a member of the Winnti household

In November 2019, we found a Winnti Group marketing campaign focusing on a number of Hong Kong universities that had began on the finish of October 2019, and we printed a blogpost about it. Throughout that marketing campaign the attackers largely made use of the ShadowPad backdoor and the Winnti malware, but in addition the Spyder backdoor and a backdoor based mostly on DarkShell (an open source RAT) that we named Doraemon.

Subsequent to that marketing campaign, in Might 2020 (as documented in our Q2 2020 Threat Report) we noticed a brand new marketing campaign focusing on one of many universities that was beforehand compromised by Winnti Group in October 2019, the place the attackers used the CROSSWALK backdoor and a PlugX variant utilizing Google Docs as a useless drop resolver. Despite the fact that that marketing campaign exhibited hyperlinks to Winnti Group, the modus operandi was fairly completely different, and we began monitoring it as a separate risk actor.

Following the Hong Kong college compromise, we noticed a number of compromises in opposition to organizations world wide utilizing related toolsets and TTPs. Contemplating these explicit TTPs and to keep away from including to the final confusion across the “Winnti Group” label, we determined to doc this cluster of exercise as a brand new group, which we’ve got named SparklingGoblin, and that we imagine is related to Winnti Group whereas exhibiting some variations.


Since mid 2020, in response to our telemetry, SparklingGoblin has been very lively and stays so in 2021. Despite the fact that the group targets largely East and Southeast Asia, we’ve got seen SparklingGoblin focusing on a broad vary of organizations and verticals world wide, with a selected give attention to the tutorial sector, however together with:

  • Educational sectors in Macao, Hong Kong and Taiwan
  • A non secular group in Taiwan
  • A pc and electronics producer in Taiwan
  • Authorities organizations in Southeast Asia
  • An e-commerce platform in South Korea
  • The schooling sector in Canada
  • Media firms in India, Bahrain, and the USA
  • A pc retail firm based mostly within the USA
  • Native authorities within the nation of Georgia
  • Unidentified organizations in South Korea and Singapore

Determine 1. Geographic distribution of SparklingGoblin targets


SideWalk staging is summarized in Determine 2. The SideWalk backdoor is ChaCha20-encrypted shellcode that’s loaded from disk by SparklingGoblin’s InstallUtil-based .NET loaders.

Determine 2. SideWalk staging mechanism

Additionally, as we’ll present beneath, the SideWalk backdoor shares a number of similiarities with CROSSWALK, which is a modular backdoor attributed to APT41 by FireEye and publicly documented by Carbon Black.

First stage

SideWalk’s shellcode is deployed encrypted on disk beneath the title Microsoft.WebService.targets and loaded utilizing SparklingGoblin’s InstallUtil-based .NET loader obfuscated with a modified ConfuserEx, an open supply protector for .NET purposes that’s continuously utilized by the group.

SparklingGoblin’s .NET loaders persist by way of a scheduled process utilizing one of many following filenames:

  • RasTaskStart
  • RasTaskManager
  • WebService

It executes the loader utilizing the InstallUtil.exe utility utilizing the next command:

the place InstallWebService.sql is the malicious .NET loader. When began with the /U flag, as right here, the Uninstall technique from the USCInstaller class within the UPrivate namespace technique of the .NET loader is known as (see Determine 3).

Figure 3. Hierarchy of an InstallUtil-based loader

Determine 3. Hierarchy of an InstallUtil-based loader

A deobfuscated model of the RunShellcode technique referred to as by the Uninstall technique is proven in Determine 4.

Determine 4. .NET loader technique referred to as by the Uninstall technique and that decrypts and injects the shellcode.

As we are able to see, the loader is chargeable for studying the encrypted shellcode from disk, decrypting it and injecting it right into a official course of utilizing the process hollowing technique. Observe that the decryption algorithm used varies throughout samples.

Moreover, word that SparklingGoblin makes use of quite a lot of completely different shellcode loaders such because the Motnug loader and ChaCha20-based loaders. Motnug is a fairly easy shellcode loader that’s continuously used to load the CROSSWALK backdoor, whereas the ChaCha20-based loaders, as their names recommend, are used to decrypt and cargo shellcode encrypted with the ChaCha20 algorithm. The ChaCha20 implementation used on this loader is similar one used within the SideWalk backdoor described beneath. This implementation is counter based mostly (CTR mode), utilizing a 12-byte nonce and 32-byte key with a counter worth of 11, resulting in the next preliminary state:

Offset 0x00 0x04 0x08 0x12
0x00 “expa” “nd 3” “2-by” “te okay”
0x16 Key Key Key Key
0x32 Key Key Key Key
0x48 0x0000000B Nonce Nonce Nonce

The 0x0000000B counter worth differs from the standard ChaCha20 implementation, the place it’s often set to 0.

Observe that these ChaCha20-based loaders had been beforehand documented in a blogpost from Positive Technologies.


Much like CROSSWALK, the SideWalk shellcode makes use of a essential construction to retailer strings, variables, the Import Deal with Desk (IAT), and its configuration knowledge. This construction is then handed as an argument to all features that want it. Throughout SideWalk’s initialization, first the strings are decrypted and added to the construction, then the a part of the construction chargeable for storing the IAT is populated, and eventually SideWalk’s configuration is decrypted.

Knowledge and string pool decryption

On the very starting of its execution, the information part on the finish of the shellcode is decrypted utilizing an XOR loop and this 16-byte key: B0 1D 1E 4B 68 76 FF 2E 49 16 EB 2B 74 4C BB 3A. This part, as soon as decrypted, accommodates the strings that might be utilized by SideWalk, together with:

  • registry keys
  • decryption keys
  • path to jot down information acquired from the C&C server
  • HTTP technique for use
  • HTTP request parameters
  • URLs used to retrieve the native proxy configuration
  • delimiters used to retrieve the encrypted IP tackle from the Google Docs doc

The decrypted string pool is listed in Determine 5 beneath.

Determine 5. Decrypted configuration strings from SideWalk

Observe that much like SideWalk, CROSSWALK additionally begins its execution by decrypting a string pool utilizing an XOR loop and a 16-byte key.

Instruction decryption

After decrypting the information part on the finish of the shellcode, SideWalk then proceeds to decrypt the remainder of its directions (beginning at offset 0x528) by utilizing the identical XOR loop with a unique 16-byte key: 26 74 94 78 36 60 C1 0C 41 56 0E 60 B1 54 D7 31.


As soon as it has decrypted its knowledge and code, SideWalk proceeds to confirm its integrity by computing a 32-bit checksum, rotating the outcome to the suitable by 13 bits at each 32-bit phrase and evaluating the hash worth with a reference one equivalent to the untampered shellcode. If the hash is completely different from the reference worth, it exits. This permits the shellcode to detect breakpoints or patches to its code and to keep away from execution in such instances. The corresponding decompiled code is proven in Determine 6.

Figure 6. Decompiled code of SideWalk’s anti-tampering procedure

Determine 6. Decompiled code of SideWalk’s anti-tampering process


Along with the string pool, the decoded knowledge additionally accommodates the names of the DLLs, in addition to the hashes of the names of the features, to be loaded. Opposite to CROSSWALK, the place the string illustration of the hashes is used, the hashes are saved instantly of their uncooked binary illustration. The corresponding a part of the principle construction, after having resolved import addresses, is proven in Determine 7. The names of the DLLs to be loaded are highlighted in gray, the hash of the Home windows API perform names to be imported are in purple and the addresses of the imported features are in inexperienced.

Determine 7. SideWalk’s IAT construction

SideWalk iterates over the exports of every of the DLLs listed within the decoded knowledge and hashes them with a customized hashing algorithm after which compares them to the hashes of the perform names to be imported. As soon as a match is discovered, the tackle of the matching perform is added to the principle construction.


As soon as the IAT is populated, SideWalk proceeds to decrypt its configuration. The configuration is encrypted utilizing the ChaCha20 algorithm and the decryption secret’s a part of the string pool talked about above. The ChaCha20 implementation is similar one used for the ChaCha20-based loader. The decrypted configuration accommodates values utilized by SideWalk for correct operation, in addition to the replace.facebookint.staff[.]dev C&C server, and the URL of the Google Docs doc that’s later used as a dead-drop resolver.

Observe that the replace.facebookint.staff[.]dev area is a Cloudflare worker that lets the malware operators customise the server, working on a broadly used, public net service. Throughout that marketing campaign, SparklingGoblin additionally used a Cloudflare employee area with Cobalt Strike: cdn.cloudfiare.staff[.]dev.

Community Exercise

One function of SideWalk is to verify whether or not a proxy configuration is current earlier than beginning to talk with the C&C server. To take action, it tries two methods:

  • A name to the API perform WinHttpGetIEProxyConfigForCurrentUser, with predefined URLs contained in its configuration:
  • If SideWalk is ready to regulate its privileges to SeDebugPrivilege, it tries to retrieve the proxy configuration from HKUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer. In any other case, it tries to fetch it from HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer.

If a proxy is discovered, SideWalk will use it to speak with the C&C server. This conduct is similar to the way in which proxies are dealt with by CROSSWALK.

SideWalk makes an attempt to acquire the proxy configuration of the present person session by stealing the person token from explorer.exe (the method title to seek for is within the configuration) and calling the Home windows API WinHttpGetIEProxyConfigForCurrentUser.

Observe that SideWalk has the required permissions to impersonate logged-on customers as a result of it’s loaded by the InstallUtil-based .NET loader, which persists as a scheduled process, and so runs beneath the SYSTEM account. Curiously, the identical process to get the explorer.exe token is described on this Chinese language blog. The decompiled process is proven in Determine 8.

Figure 8. Decompiled code responsible for user impersonation before retrieving the proxy configuration

Determine 8. Decompiled code chargeable for person impersonation earlier than retrieving the proxy configuration

Requests codecs

The Google Docs web page utilized by SideWalk as a dead-drop resolver is proven within the following screenshot (Determine 9), and on the time of writing, it’s nonetheless up. Observe that anybody can edit this web page.

Figure 9. Google Docs document used by SideWalk as dead-drop resolver

Determine 9. Google Docs doc utilized by SideWalk as dead-drop resolver

The string current on this web page has the format depicted in Determine 10.

Figure 10. Format of the string hosted on the Google Docs document

Determine 10. Format of the string hosted on the Google Docs doc

This string consists of:

  • Delimiters used for correct parsing.
  • A payload and its dimension, which consists of a ChaCha20-encrypted IP tackle, the important thing to decrypt it, and, for an integrity verify, the hash of the decryption key.
  • Extra strings which might be at the moment unused.

To facilitate the potential future utilization of that formatting, we’ve got offered a script in our GitHub repository.

The decrypted IP tackle is 80.85.155[.]80. That C&C server makes use of a self-signed certificates for the facebookint[.]com area. This area has been attributed to BARIUM by Microsoft, which partially overlaps with what we outline as Winnti Group. As this IP tackle is just not the primary one for use by the malware, it’s thought-about to be the fallback one.

The communication protocol utilized by SideWalk to speak with its C&C server is HTTPS and the format of the POST request headers despatched to the C&C could be seen in Determine 11.

Determine 11. Instance of a POST request utilized by SideWalk

Each the URL and the values of the gtsid and gtuvid parameters are randomly generated. The Host discipline is both the IP fetched from Google Docs, or is ready to replace.facebookint.staff[.]dev. The information of the POST request is an encrypted payload. The format utilized by this request is the communication format utilized by SideWalk operators between C&C server and contaminated machines, e.g., requests and responses. The format of the POST request knowledge is proven in Determine 12.

Determine 12. Format of the POST request knowledge

Observe that this format is used for each the request and the response, which means that when SideWalk handles the information despatched again from the C&C server, it parses it in response to the identical format. There is no such thing as a explicit similarity within the C&C server communication aspect between CROSSWALK and SideWalk.

On this format, the fields are:

  • hash: the hash of the information from 0x10 to total_size of the payload. The hash algorithm is a customized hash mixed of a number of MD5 calls on completely different parts of the hashed knowledge.
  • dimension: the dimensions is the same as total_size – 0x0D.
  • key1, key2: ChaCha20 keys to encrypt Header Buffer and Knowledge Buffer.
  • parameter buffer: elective buffer (could also be 0…0).
  • sufferer ID: authentication data, which is the results of a customized hash of assorted machine data together with Machine GUID and pc title.
  • execution ID: earlier than launching the threads, this ID is generated utilizing CryptGenRandom. It’s completely different for every execution.
  • command ID / response ID: ID of the motion that has been dealt with by the malware when it’s a request from the malware to the C&C server, and the ID of the command to execute when it’s a response from the C&C server to the malware.
  • counter: variety of instructions executed because the present SideWalk course of inception.
  • knowledge: the ChaCha20-encrypted, compressed knowledge fetched by the malware or despatched by the C&C server.
  • compressed dimension: the dimensions of the LZ4-compressed knowledge.
  • knowledge dimension: the uncompressed knowledge dimension.

Header Buffer and Knowledge Buffer are encrypted utilizing the corresponding keys. The primary one stands for the metadata to establish the machine that was compromised, and the second buffer corresponds to the precise knowledge shared between the C&C server and the malware. The small print of those fields proven in Determine 12, are seen as soon as decrypted.


Once we began analyzing SideWalk, as its C&C server was already down, a few of the potential actions weren’t absolutely comprehensible with out understanding the information despatched by the C&C server, but many of the capabilities of the malware are documented within the following desk.

Desk 1. C&C instructions supported by SideWalk

Command ID (C&C to malware) Response ID (malware to C&C) Description
0x00 None Do nothing.
0x7C 0x79 Load the plug-in (as shellcode) despatched by the C&C server.
0x82 0x83 Gather details about working processes (proprietor SID, account title, course of title, area data).
0x8E 0x8F Write the acquired knowledge to the file positioned at %AllUsersProfilepercentUTXPnat, the place filename is a hash of the worth returned by VirtualAlloc at every execution of the malware.
0x64 None Name one of many plug-ins acquired from the C&C server. Every command calls them otherwise utilizing completely different arguments. As well as, the command 0x74 terminates all of the threads.
0x74 None
0x78 0x79 or 0x7B
0x7E None
0x80 0x81
default None

Observe: As we didn’t retrieve any plug-ins from the C&C server, it’s troublesome to evaluate SideWalk’s full capabilities.

The CROSSWALK connection

Despite the fact that the SideWalk and CROSSWALK code is completely different, each households share a number of architectural similarities, with an analogous anti-tampering approach, threading mannequin and knowledge structure, and the way in which this knowledge is dealt with all through execution. Characteristic-wise, each backdoors are modular and in a position to deal with proxies to speak correctly with their C&C servers.

These similarities are described beneath and summarized in a desk on the finish of this part.

Contemplating all these similarities, we imagine SideWalk and CROSSWALK are probably coded by the identical builders.


The threading mannequin may be very related between SideWalk and CROSSWALK. The authors cut up duties between threads and use PostThreadMessage Home windows API calls to speak between them. For instance, one thread is chargeable for making a request, and as soon as it will get the response, it transfers it to the suitable thread.

The programming fashion can be very related; a purposeful method is used. A knowledge construction shops the configuration, strings, and imports, and it’s handed as an argument to all of the features that want it.

For instance, listed here are just a few perform prototypes:

  • __int64 getMachineGuid(main_struct* main_struct, __int64 machineguid)
  • __int64 writeBufferToFile(main_struct* main_struct, __int64 buffer, unsigned int nbBytes)
  • __int64 recv(main_struct* main_struct, __int64 socket, unsigned int nbBytes, __int64 buffer)

Each SideWalk and CROSSWALK are modular backdoors that may load further modules despatched by the C&C server. The SideWalk module dealing with is carried out in a way much like CROSSWALK. Among the potential module operations are execution, set up, and uninstallation.


Like CROSSWALK, throughout its initialization, SideWalk computes a 32-bit hash worth of the shellcode on the very starting of its execution utilizing a ROR4 loop.

CROSSWALK and SideWalk collect related artifacts; amongst them:

  • IP configuration
  • OS model
  • Username
  • Laptop title
  • Filename
  • Present course of ID
  • Present time

Proxy dealing with is similar in each CROSSWALK and SideWalk. Each use frequent, official URLs (similar to or and a WinHttpGetIEProxyConfigForCurrentUser Home windows API name to retrieve the proxy configuration.

Knowledge structure

SideWalk and CROSSWALK comply with the identical shellcode structure, with directions adopted by strings, IAT, and encrypted configuration knowledge.

Knowledge dealing with

SideWalk and CROSSWALK every course of the information on the finish of the shellcode in the identical means:

  • First, the information part is decrypted utilizing a 16-byte XOR loop.
  • Then, perform addresses from title hashes saved within the knowledge part are resolved and saved in its essential construction (pointing to the IAT within the knowledge part).
  • Lastly, its configuration that accommodates the C&C server tackle is decrypted (though the decryption algorithm utilized by SideWalk is completely different).

Desk 2. Abstract of the similarities between SideWalk and CROSSWALK

Class Characteristic Similarities Shortage
Structure Threading mannequin A number of threads are used, every thread being chargeable for particular actions:
   · Making requests
   · Dealing with responses and processing instructions
Programming fashion A essential knowledge construction is used to retailer all of the backdoor configuration, strings and imports and handed as an argument to all of the features that want it. Excessive
Module dealing with Installs, uninstalls, and executes modules in an analogous method to CROSSWALK. Excessive
Performance Gathered data    · IP configuration
   · OS model
   · Username
   · Laptop title
   · Filenames
   · Present course of ID
   · Present time
Networking Comparable proxy dealing with Medium
Anti-tampering Customized hash of the shellcode is computed and checked in opposition to a 32-bit reference worth. Excessive
Configuration Inside knowledge dealing with    · Comparable 16-byte XOR key decryption
   · Comparable IAT decision (related hash/tackle pair construction)
   · Comparable knowledge processing order
Knowledge structure Comparable knowledge construction structure with:
   · Encrypted string pool
   · IAT
   · Encrypted C&C configuration


SideWalk is a beforehand undocumented backdoor utilized by the SparklingGoblin APT group. It was probably produced by the identical builders as these behind CROSSWALK, with which it shares many design constructions and implementation particulars.

SparklingGoblin is a gaggle with some degree of connection to Winnti Group. It was very lively in 2020 and the primary half of 2021, compromising a number of organizations over a variety of verticals world wide and with a selected give attention to the tutorial sector and East Asia.

ESET Analysis is now providing a non-public APT intelligence report and knowledge feed. For any inquiries about this new service, or analysis printed on WLS, contact us at [email protected]

Indicators of Compromise (IoCs)

A complete checklist of Indicators of Compromise and samples could be present in our GitHub repository.


Observe that the SideWalk pattern referenced beneath is just not the one on which our evaluation relies; the precise pattern used in the course of the compromise is the one mentioned intimately within the textual content of this blogpost.

SHA-1 Description ESET detection title
1077A3DC0D9CCFBB73BD9F2E6B72BC67ADDCF2AB InstallUtil-based .NET loader used to decrypt and cargo SideWalk MSIL/ShellcodeRunner.L.gen
153B8E46458BD65A68A89D258997E314FEF72181 ChaCha20-based shellcode loader used to decrypt and cargo the SideWalk shellcode Win64/Agent.AQD
829AADBDE42DF14CE8ED06AC02AD697A6C9798FE SideWalk ChaCha20-encrypted shellcode N/A
9762BC1C4CB04FE8EAEEF50A4378A8D188D85360 SideWalk decrypted shellcode Win64/Agent.AQD
EA44E9FBDBE5906A7FC469A988D83587E8E4B20D InstallUtil-based .NET loader used to decrypt and cargo Cobalt Strike MSIL/ShellcodeRunner.O
AA5B5F24BDFB049EF51BBB6246CB56CEC89752BF Cobalt Strike encrypted shellcode N/A





SSL certificates

Serial quantity 8E812FCAD3B3855DFD78980CEE0BEB71
Fingerprint D54AEB62D0102D0CC4B96CA9E5EAADE3846EC470
Topic CN CloudFlare Origin Certificates
Topic O CloudFlare, Inc.
Topic L San Francisco
Topic S California
Topic C US
Legitimate from 2020-11-04 09:35:00
Legitimate to 2035-11-01 09:35:00
X509v3 Topic Various Identify DNS:*

MITRE ATT&CK methods

This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Useful resource Growth T1583.001 Purchase Infrastructure: Domains SparklingGoblin makes use of its   personal domains.
T1583.004 Purchase Infrastructure: Server SparklingGoblin makes use of servers hosted by numerous suppliers for its C&C servers.
T1583.006 Purchase Infrastructure: Net Companies SparklingGoblin makes use of Cloudflare employee providers as C&C servers.
T1587.001 Develop Capabilities: Malware SparklingGoblin makes use of its personal malware arsenal.
T1587.003 Develop Capabilities: Digital Certificates Glowing makes use of self-signed SSL certificates.
Execution T1053.005 Scheduled Activity/Job: Scheduled Activity SparklingGoblin’s .NET shellcode loaders are executed by a scheduled process.
Persistence T1574.001 Hijack Execution Circulation: DLL Search Order Hijacking Some SparklingGoblin shellcode loaders persist by being put in at areas used for DLL search order hijacking.
T1053.005 Scheduled Activity/Job: Scheduled Activity SparklingGoblin’s .NET shellcode loaders persist as scheduled duties.
Privilege Escalation T1134.001 Entry Token Manipulation: Token Impersonation/Theft SideWalk makes use of token impersonation earlier than performing HTTP requests.
Protection Evasion T1140 Deobfuscate/Decode Information or Data Most shellcode utilized by SparklingGoblin is saved encrypted on disk.
T1055.012 Course of Injection: Course of Hollowing Some SparklingGoblin loaders use course of hollowing to execute their shellcode.
T1218.004 Signed Binary Proxy Execution: InstallUtil SparklingGoblin’s .NET loaders are executed by InstallUtil.
Discovery T1012 Question Registry SideWalk queries the registry to get the proxy configuration.
T1082 System Data Discovery SideWalk and CROSSWALK accumulate numerous details about the compromised system.
T1016 System Community Configuration Discovery SideWalk and CROSSWALK retrieve the native proxy configuration.
Command And Management T1071.001 Software Layer Protocol: Net Protocols SideWalk and CROSSWALK use HTTPS to speak with C&C servers.
T1573.001 Encrypted Channel: Symmetric Cryptography SideWalk makes use of a modified ChaCha20 implementation to speak with C&C servers.
T1008 Fallback Channels SideWalk makes use of a fallback IP tackle encrypted in a Google Docs doc used as dead-drop resolver.
T1090 Proxy SideWalk and CROSSWALK can talk correctly when a proxy is used on the sufferer’s community.
T1102 Net Service SideWalk makes use of Cloudflare staff net providers.
T1102.001 Net Service: Useless Drop Resolver SideWalk makes use of a Google Docs doc as dead-drop resolver.

Posted in SecurityTags:
Write a comment