StageClient is a configurable and modular Linux backdoor that we observed while investigating a targeted attack against a Hong Kong university in July 2021. Surprisingly, we discovered that the backdoor exhibits a huge functionality overlap with the Specter IoT botnet malware, a modular Linux RAT, that creates an indisputable link between the malware authors, meaning we can now say they come both from the same threat actor. More recently, we found strong connections between StageClient and SideWalk – a modular Windows backdoor belonging to SparklingGoblin, which is an APT group that partially overlaps with APT41 and BARIUM. By digging further, we found out that both StageClient and Specter are actually Linux variants of SideWalk. The targeting aligns with SparklingGoblin’s targeted verticals. Pivoting on the cryptographic artefacts of StageClient, we found multiple other samples, including a custom undocumented userland rootkit featuring several unique and interesting techniques. We consider all these tools to be part of SparklingGoblin’s arsenal. During this presentation, we will first present the connections between StageClient and Specter, by showing the common functionalities. Next, we will present the SparklingGoblin APT group to the audience, outlining the verticals and countries that this group targets, as well as their toolset and modus operandi. We will briefly describe some of the code similarities we found between StageClient and SideWalk, including encryption schemes, communication protocols, and victims fingerprinting. We will also sum up some of the differences we found, including available backdoor commands, versioning, and its defense evasion capabilities. In the third part of the presentation, we will describe the Linux rootkit we discovered. We will explain how the rootkit, that operates in userland, injects into processes and hides its files and network connections to achieve stealthiness. We will finish the presentation by a summing up of our findings, taking conclusions regarding the attribution matter.

Thibaut Passilly is a Malware Researcher at ESET since 2020. Thibaut went to EPITA (École Pour l’Informatique et les Techniques Avancées) in the Paris area, and chose to major in cybersecurity, systems and networks. During his studies, he spent one year teaching programming classes to biotechnology students. Since he became passionate about computer science and especially security, Thibaut decided to make it his job after graduating in 2019. He began his security career as an intern in a threat intelligence team and then as a forensics tools developer, both in a major European cybersecurity company. Afterwards, he moved to Canada and joined ESET as a malware researcher in late 2020. Thibaut has previously spoken about APT attacks in Europe  in 2021 in an online presentation — in French — at the Paris ESD (ESET Security Days). Thibaut also contributes to WLS (WeLiveSecurity), ESET’s blog, where he has written about SparklingGoblin and their modular backdoor, SideWalk.

Vladislav Hrčka has been working as a malware analyst at ESET since 2017. Currently, as a part of the Experimental Research & Detection team. His focus is on reverse engineering challenging malware samples and his research into sophisticated malware families such as Stantinko or FontOnLake resulted in several articles and papers published on WeLiveSecurity. Fascinating obfuscation techniques used in malware motivated him to develop tools Stadeo and WslinkVMAnalyzer that can facilitate analysis of code obfuscated with such techniques. He has presented results of his work at the Black Hat USA, REcon and AVAR conferences. He’s currently studying Computer Science with a focus on cyber security at the Comenius University in Bratislava and going into his final year of master’s degree. Additionally, he teaches course Principles of Reverse Engineering at the Slovak University of Technology and the Comenius University. In his spare time, he occasionally participates in various CTFs and enjoys sports, especially biking and swimming.