A novel and sophisticated backdoor tool that miscreants have slipped onto compromised Windows computers in companies mostly in Asia but also in North America. As usual in the infosec world, the pair of security outfits can’t agree on a name for this remote-access module. ESET refers to the malware as SideWalk and to the group responsible as SparklingGoblin; TrendMicro prefers ScrambleCross and calls the threat actor Earth Baku, even as it acknowledges that the miscreants are better known as APT41.
“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command and control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server, It can also properly handle communication behind a proxy.”
The SideWalk backdoor shares multiple similarities with CROSSWALK, which is a modular backdoor attributed to APT41.