December 9, 2022 HAWKEYE

The Evolution of SideWinder APT and their Modus-Operandi

A suspected Indian threat actor group, Sidewinder, has been operating at least since 2012. They have been seen attacking businesses, military, and governmental institutions across Asia, particularly in Pakistan, China, Nepal, and Afghanistan. However, Pakistan has been the main focus of SideWinder since the group was discovered in 2012.

Background

Pakistan has been the target of many SideWinder attacks in the past year. The aims for the Pakistani military piqued SideWinder’s interest in particular. In the article, we will talk about evolution and the modus-operandi related to it.

SideWinder APT Targets

Over a long period of time, the SideWinder APT has targeted businesses and governments in South Asia and East Asia. Particularly, there is a persistent attempt to target military and governmental institutions. Pakistan, China, Nepal, and Afghanistan have been the primary targets of military and governmental attacks. Numerous smaller operations were also seen aiming at other countries in the area, including Bangladesh, Myanmar, Qatar, Sri Lanka, and Myanmar. SideWinder campaigns also targeted numerous companies involved in the national military technology, scientific research, banking, energy, and mineral industries of the same nations.

Evolution and Modus-Operandi

Spear phishing emails used by SideWinder to launch attacks against their intended targets have been seen. The majority of attacks provide infected attachments, however, the group has also employed credential phishing. Email enticements and the links or files they contain are frequently specially created for the target organization. They contain information that the recipients would typically expect to receive or find useful. Email lures are frequently tied to political events and/or sensitive papers because the group has largely targeted government and military groups, which are expected to receive such emails. Malicious links in phishing emails are typically used in conjunction with malicious attachments. RTF files and less frequently DOCX, LNK, and ZIP files have been the most common types of attachments.

The RTF files repeatedly leverage CVE-2017-11882 to compromise the target host and launch an attack. When downloading remote files from the infrastructure that the adversary controls, LNK files are used for code execution. Simply providing LNK files using ZIP files has been noticed; this may be an effort to get around automatic email filtering.

The ZIP file contains a malicious LNK file which performs a remote download to ultimately download a malicious HTA file. The HTA files themselves change over time, frequently changing with each campaign in an effort to hinder the ability to perform analysis and detection. The HTA file serves as the initial infection downloader from the C2 server, loads encoded lure documents and reports specific host information to the C2 server.

The scripts alternate between PowerShell, VBScript, and JavaScript. The amount of code encoding and obfuscation in the script has also grown over time. The scripts have also profited from using maliciously delivered final payloads through open-source toolkits like Koadic and StarFighters. In the end, the numerous distinct HTA file script implementations result in the deletion and execution of the loader using the DLL side loading method.

SideWinder loads and runs its final implant payload on target PCs utilizing a method known as DLL side loading as part of its infection chain. By compelling a system software to load its malicious DLL instead of the legitimate one, the malware hijacks a clean file. With this method, the implant can stay hidden from generic file scans by only existing in the victim machine’s memory. The final implant has the capabilities of collecting system information, and saving it to a file to be later uploaded to the C2 server, Collecting drive information and directory files based on configuration, Collecting files and saving them to a temporary file to later deliver to the C2 server, and dynamically updating malware configuration.

Also, in 2022 a new customer tool called SideWinder.AntiBot.Script which was used by Sidewinder APT to redirect the victims for downloading the initial file from the infected website. Also, a new malware that the SideWinder APT threat group employed in attacks against Pakistan in 2022 was found. The backdoor is known as Warhawk. It has multiple modules for downloading and executing additional payload, running remote commands, and exfiltrating files from the device.

Recommendations

  • Continually update your cyber threat intelligence program with the newest IOCs from new threats.
  • Update systems with security patch updates.
  • Avoid opening email attachments, or only do so if you are certain the sender was human and not a malicious entity.
  • After being obtained during Collection, monitor executed commands and arguments that could exfiltrate data, such as sensitive documents, through the use of automated processing.
  • Keep track of the DLLs that a process has loaded and look for any that have the same file name but strange locations.
, , ,


CONTACT US

We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.