The SideWalk new backdoor is as dangerous as the crosswalk

The SideWalk backdoor is ChaCha20-encrypted shellcode that is loaded from disk by SparklingGoblin’s InstallUtil-based .NET loaders.
SideWalk’s shellcode is deployed encrypted on disk under the name Microsoft.WebService.targets and loaded using SparklingGoblin’s InstallUtil-based .NET loader obfuscated with a modified ConfuserEx, an open source protector for .NET applications that is frequently used by the group.

SparklingGoblin’s .NET loaders persist via a scheduled task using one of the following filenames:

-RasTaskStart
-RasTaskManager
-WebService
It executes the loader using the InstallUtil.exe utility using the following command:

C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /ParentProc=none /U C:WindowsMicrosoft.NETFramework64v4.0.30319InstallWebService.sql
C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /ParentProc=none /U C:WindowsMicrosoft.NETFramework64v4.0.30319InstallWebService.sql
where InstallWebService.sql is the malicious .NET loader. When started with the /U flag, as here, the Uninstall method from the USCInstaller class in the UPrivate namespace method of the .NET loader is called.

the loader is responsible for reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique. Note that the decryption algorithm used varies across samples.

Additionally, note that SparklingGoblin uses a variety of different shellcode loaders such as the Motnug loader and ChaCha20-based loaders.
Motnug is a pretty simple shellcode loader that is frequently used to load the CROSSWALK backdoor, while the ChaCha20-based loaders, as their names suggest, are used to decrypt and load shellcode encrypted with the ChaCha20 algorithm.
The ChaCha20 implementation used in this loader is the same one used in the SideWalk backdoor described below.
This implementation is counter based (CTR mode), using a 12-byte nonce and 32-byte key with a counter value of 11.
The 0x0000000B counter value differs from the usual ChaCha20 implementation, where it’s usually set to 0.

Similar to CROSSWALK, the SideWalk shellcode uses a main structure to store strings, variables, the Import Address Table (IAT), and its configuration data. This structure is then passed as an argument to all functions that need it.
During SideWalk’s initialization, first the strings are decrypted and added to the structure, then the part of the structure responsible for storing the IAT is populated, and finally SideWalk’s configuration is decrypted.

Data and string pool decryption
At the very beginning of its execution, the data section at the end of the shellcode is decrypted using an XOR loop and this 16-byte key: B0 1D 1E 4B 68 76 FF 2E 49 16 EB 2B 74 4C BB 3A. This section, once decrypted, contains the strings that will be used by SideWalk, including:

-registry keys
-decryption keys
-path to write files received from the C&C server
-HTTP method to be used
-HTTP request parameters
-URLs used to retrieve the local proxy configuration
delimiters used to retrieve the encrypted IP address from the Google Docs document.

Note that similar to SideWalk, CROSSWALK also starts its execution by decrypting a string pool using an XOR loop and a 16-byte key.

After decrypting the data section at the end of the shellcode, SideWalk then proceeds to decrypt the rest of its instructions (starting at offset 0x528) by using the same XOR loop with a different 16-byte key: 26 74 94 78 36 60 C1 0C 41 56 0E 60 B1 54 D7 31.

Once it has decrypted its data and code, SideWalk proceeds to verify its integrity by computing a 32-bit checksum, rotating the result to the right by 13 bits at every 32-bit word and comparing the hash value with a reference one corresponding to the untampered shellcode.
If the hash is different from the reference value, it exits.
This allows the shellcode to detect breakpoints or patches to its code and to avoid execution in such cases.

In addition to the string pool, the decoded data also contains the names of the DLLs, as well as the hashes of the names of the functions, to be loaded. Contrary to CROSSWALK, where the string representation of the hashes is used, the hashes are stored directly in their raw binary representation.

SideWalk iterates over the exports of each of the DLLs listed in the decoded data and hashes them with a custom hashing algorithm and then compares them to the hashes of the function names to be imported. Once a match is found, the address of the matching function is added to the main structure.

Once the IAT is populated, SideWalk proceeds to decrypt its configuration.
The configuration is encrypted using the ChaCha20 algorithm and the decryption key is part of the string pool mentioned above.
The ChaCha20 implementation is the same one used for the ChaCha20-based loader.
The decrypted configuration contains values used by SideWalk for proper operation, as well as the update.facebookint.workers[.]dev C&C server, and the URL of the Google Docs document that is later used as a dead-drop resolver.

Note that the update.facebookint.workers[.]dev domain is a Cloudflare worker that lets the malware operators customize the server, running on a widely used, public web service.
During that campaign, SparklingGoblin also used a Cloudflare worker domain with Cobalt Strike: cdn.cloudfiare.workers[.]dev.

One feature of SideWalk is to check whether a proxy configuration is present before starting to communicate with the C&C server.
To do so, it tries two techniques:

-A call to the API function WinHttpGetIEProxyConfigForCurrentUser, with predefined URLs contained in its configuration:
https://msdn.microsoft.com
https://www.google.com
https://www.twitter.com
https://www.facebook.com

-If SideWalk is able to adjust its privileges to SeDebugPrivilege, it tries to retrieve the proxy configuration from HKUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer. Otherwise, it tries to fetch it from HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer.
If a proxy is found, SideWalk will use it to communicate with the C&C server. This behavior is very similar to the way proxies are handled by CROSSWALK.

SideWalk attempts to obtain the proxy configuration of the current user session by stealing the user token from explorer.exe (the process name to search for is in the configuration) and calling the Windows API WinHttpGetIEProxyConfigForCurrentUser.

Note that SideWalk has the necessary permissions to impersonate logged-on users because it is loaded by the InstallUtil-based .NET loader, which persists as a scheduled task, and so runs under the SYSTEM account.

The Google Docs page used by SideWalk as a dead-drop resolver and at the time of writing, it is still up.
Note that anyone can edit this page.

This string is composed of:

-Delimiters used for proper parsing.
-A payload and its size, which consists of a ChaCha20-encrypted IP address, the key to decrypt it, and, for an integrity check, the hash of the decryption key.
-Additional strings that are currently unused.

To facilitate the potential future usage of that formatting, we have provided a script in our GitHub repository.

The decrypted IP address is 80.85.155[.]80. That C&C server uses a self-signed certificate for the facebookint[.]com domain.
This domain has been attributed to BARIUM by Microsoft, which partially overlaps with what we define as Winnti Group.
As this IP address is not the first one to be used by the malware, it is considered to be the fallback one.
Both the URL and the values of the gtsid and gtuvid parameters are randomly generated.
The Host field is either the IP fetched from Google Docs, or is set to update.facebookint.workers[.]dev. The data of the POST request is an encrypted payload. The format used by this request is the communication format used by SideWalk operators between C&C server and infected machines, e.g., requests and responses.

Note that this format is used for both the request and the response, meaning that when SideWalk handles the data sent back from the C&C server, it parses it according to the same format. There is no particular similarity in the C&C server communication side between CROSSWALK and SideWalk.

In this format, the fields are:

-hash: the hash of the data from 0x10 to total_size of the payload. The hash algorithm is a custom hash combined of multiple MD5 calls on different portions of the hashed data.
-size: the size is equal to total_size – 0x0D.
-key1, key2: ChaCha20 keys to encrypt Header Buffer and Data Buffer.
-parameter buffer: optional buffer (may be 0…0).
-victim ID: authentication information, which is the result of a custom hash of various machine information including Machine GUID and computer name.
-execution ID: before launching the threads, this ID is generated using CryptGenRandom. It is different for each execution.
-command ID / response ID: ID of the action that has been handled by the malware when it is a request from the malware to the C&C server, and the ID of the command to execute when it is a -response from the C&C server to the malware.
-counter: number of commands executed since the current SideWalk process inception.
-data: the ChaCha20-encrypted, compressed data fetched by the malware or sent by the C&C server.
-compressed size: the size of the LZ4-compressed data.
-data size: the uncompressed data size.

Header Buffer and Data Buffer are encrypted using the corresponding keys. The first one stands for the metadata to identify the machine that was compromised, and the second buffer corresponds to the actual data shared between the C&C server and the malware.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...