<— Back

SparklingElf, recent supplies to SparklingGoblin’s Linux malware arsenal, new ties to APT41

StageClient is a configurable and modular Linux backdoor that we observed while investigating a targeted attack against a Hong Kong university in July 2021. Surprisingly, we discovered that the backdoor exhibits a huge functionality overlap with the Specter IoT botnet malware, a modular Linux RAT, that creates an indisputable link between the malware authors, meaning we can now say they come both from the same threat actor. More recently, we found strong connections between StageClient and SideWalk – a modular Windows backdoor belonging to SparklingGoblin, which is an APT group that partially overlaps with APT41 and BARIUM. By digging further, we found out that both StageClient and Specter are actually Linux variants of SideWalk. The targeting aligns with SparklingGoblin’s targeted verticals. Pivoting on the cryptographic artefacts of StageClient, we found multiple other samples, including a custom undocumented userland rootkit featuring several unique and interesting techniques. We consider all these tools to be part of SparklingGoblin’s arsenal. During this presentation, we will first present the connections between StageClient and Specter, by showing the common functionalities. Next, we will present the SparklingGoblin APT group to the audience, outlining the verticals and countries that this group targets, as well as their toolset and modus operandi. We will briefly describe some of the code similarities we found between StageClient and SideWalk, including encryption schemes, communication protocols, and victims fingerprinting. We will also sum up some of the differences we found, including available backdoor commands, versioning, and its defense evasion capabilities. In the third part of the presentation, we will describe the Linux rootkit we discovered. We will explain how the rootkit, that operates in userland, injects into processes and hides its files and network connections to achieve stealthiness. We will finish the presentation by a summing up of our findings, taking conclusions regarding the attribution matter.

Vladislav Hrčka

Vladislav Hrčka has been working as a Malware Researcher at ESET since 2017. His focus is on reverse engineering challenging malware samples and his research into sophisticated malware families resulted in several published articles and papers. Apart from that he dealt with some fascinating obfuscation techniques used in malware and developed tools that can overcome them during his career. He has presented results of his work at several well-known conferences such as Black Hat USA, REcon, SecTor, CodeBlue, BSidesMTL and AVAR. He is soon going to finish his master’s degree studies of Computer Science with a focus on cyber security at the Comenius University in Bratislava. Additionally, he teaches course Principles of Reverse Engineering at the local universities. In his spare time, he occasionally participate in various CTFs and enjoys sports, especially biking and swimming.