New SparklingGoblin Threat Actor Targets American Companies and Organizations

Security researchers have spotted an ongoing campaign conducted by a advanced persistent threat (APT) actor that seems to be new to the infosec landscape. The new entity was called SparklingGoblin by researchers and has been targeting businesses and organizations located in North America.

SparklingGoblin is a new arrival on the scene but researchers believe it has ties to a previously existing APT called Winnti Group or Wicked Panda, believed to be a state-sponsored Chinese group of hackers. Wicked Panda first came under the spotlight nearly a decade ago.

SparklingGoblin uses what researchers describe as an innovative modular backdoor to infiltrate victims' networks. The tool is called SideWalk and bears striking similarities to one of the backdoors Wicked Panda used in the past, called CrossWalk. Both are modular toolkits and can execute shell commands and code on the victim system, send by the command and control server.

The new threat actor, SparklingGoblin, was found attacking educational facilities, a retailer and media businesses in the US and Canada.

The discovery of the new threat actor in the face of SparklingGoblin happened while researchers were trying to track down activity related to the older Wicked Panda APT. During their work they found a new malware sample that turned out to be the new tool used by SparklingGoblin. There were multiple similarities in the way the malware was packaged and how it worked, but it was different enough that it was ascribed to a new threat actor.

One unique feature of the new SideWalk backdoor is that while it looked very similar to the existing CrossWalk sample, it used variant of the PlugX malware family, named Korplug. Additionally, the backdoor used Google Docs as storage space for payloads - an increasingly common occurrence among malware.

The backdoor uses encryption of its malicious shell code and injects that code through process hollowing into legitimate, existing system processes.

In its attacks, SparklingGoblin seems to be after information exfiltration and seeks to grab IP addresses, usernames and system information from its victim systems. What the ultimate purpose of those feeler attacks is cannot be said with complete certainty. The group is believed to also operate out of China, similar to what researchers believe about Wicked Panda.