SparklingGoblin New APT Targets Entities in North America

After doing research and following another vector of investigation, security researchers seem to have run into a brand new threat actor on the digital landscape. The new APT or active persistent threat actor is called SparklingGoblin by researchers. Its activity was traced to attacks targeting institutions and businesses located in North America.

SparklingGoblin is a new APT but according to the observations and research conducted so far, it appears to be linked to a different known threat actor. The entity linked to SparklingGoblin is codified as APT41 and is known by several names, including Wicked Panda and Winnti Group. Researchers believe Winnti Group is a threat actor operating out of China, sponsored by the country's government.

The link between the two APTs were found primarily in the infiltration toolkit they both use. SparklingGoblin was found using a new backdoor that resembles a backdoor tool used in the past by Winnti Group.

The new instance of the malware used by SparklingGoblin is called SideWalk and there are a number of similarities between it and an older tool known to researchers called CrossWalk, used by Winnti Group in the past. This was one of the main indicators that the two APTs are linked, as well as the fact that they both use the Chinese language.

Researchers weren't looking out for the new threat actor specifically. They were actually originally conducting an investigation into the activity of Winnti Group, but ran across a malware sample that tipped them off that this was a new entity. They found a malware sample that was packaged just like Winnti Group's CrossWalk and behaved in a similar way, executing shell code using commands received from a command and control server.

However, there was one key difference. The SideWalk tool used by SparklingGoblin used a different variant of the PlugX malware, called Korplug by researchers. It was also able to use Google Docs cloud servers as dead drop location for its payload.

Once deployed on a system, SideWalk uses process hollowing to inject its malicious code, which has already been decrypted by the backdoor. The SparklingGoblin gang operating the backdoor is after gathering information off the systems it infiltrates, researchers stated. The targets located in North America so far have been Canadian schools and a US-based retailer of computers.

August 26, 2021
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.