Skip links

ProxyLogon flaw, evil emails, SQL injections used to open backdoors on Windows boxes

ESET and TrendMicro have identified a novel and sophisticated backdoor tool that miscreants have slipped onto compromised Windows computers in companies mostly in Asia but also in North America.

As usual in the infosec world, the pair of security outfits can’t agree on a name for this remote-access module. ESET refers to the malware as SideWalk and to the group responsible as SparklingGoblin; TrendMicro prefers ScrambleCross and calls the threat actor Earth Baku, even as it acknowledges that the miscreants are better known as APT41.

TrendMicro’s researchers speculate that the design of the malware indicates that at least one member of the group is familiar with the tools and techniques of security red teams while the SideWalk/ScrambleCross backdoor suggests personnel with deep knowledge of low-level programming and advanced software development.

Regardless of the current composition of the threat group and the terminology involved, this is not the sort of malware you want to find on your network.

“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command and control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server,” explain ESET researchers Thibaut Passilly and Mathieu Tartare, in a blog post. “It can also properly handle communication behind a proxy.”

According to Passilly and Tartare, SideWalk has been used against the academic sector in Macau, Hong Kong and Taiwan, the education sector in Canada, a religious organization and a computer maker in Taiwan, government organizations in Southeast Asia, and a computer retail firm in the US, among others.

SparkingGoblin/Earth Baku has been running the particular campaign since mid-2020 and continues to do so, according to Passilly and Tartare.

Trend Micro researchers Hara Hiroaki and Ted Lee peg the group’s current malware to July 2020 and point to its use of similar malware in a different but still ongoing campaign, dubbed LavagokLdr, that began in November 2018. ESET calls the LavagokLdr payload CrossWalk, which was analyzed in 2019 by VMware-acquired Carbon Black.

The SideWalk/ScrambleCross backdoor can be installed various ways, according to TrendMicro, such as injection of an SQL script into a system’s Microsoft SQL Server, exploitation of the Microsoft Exchange Server ProxyLogon vulnerability (CVE-2021-26855), a malicious email attachment, or use of the Windows InstallUtil.exe installer application to run a compromised scheduled task.

The backdoor module will set itself up, decrypt its instructions, verify its integrity as a defense against tampering, and connect with a Cloudflare Worker that serves as its C&C server and with a Google Docs page that functions as a dead-drop resolver – the page data contains an IP address pointing to the C&C server.

Once it’s up and running on a system, SideWalk/ScrambleCross allows its controllers to download other modules, gather information, run data stealing code, and impersonate logged in users, among other capabilities.

Concerned network admins and cybersecurity personnel may wish to consult the indicators of compromise to see whether such software exists on their systems. ®