Since April 2020, the “aggressive” advanced persistent threat (APT) organization SideWinder has been linked to over 1,000 additional assaults.
“The sheer number, high frequency, and persistence of their attacks, as well as the large collection of encrypted and obfuscated malicious components used in their operations, are some of the main characteristics of this threat actor that set it apart from the others,” cybersecurity firm Kaspersky said in a report presented at Black Hat Asia this month.
SideWinder, also known as Rattlesnake or T-APT-04, has been active in Central Asian nations such as Afghanistan, Bangladesh, Nepal, and Pakistan since at least 2012. It has a history of targeting military, defense, aviation, IT, and legal enterprises.
The threat actor is aggressively broadening the geography of its targets outside its regular victim profile to additional nations and regions, including Singapore, according to Kaspersky’s APT trends report for Q1 2022, published late last month.
SideWinder has also been seen using the ongoing Russian-Ukrainian conflict as a bait in its phishing attempts to spread malware and steal sensitive data.
The antagonistic collective’s infection chains are notorious for include malware-rigged documents that use a remote code vulnerability in Microsoft Office’s (CVE-2017-11882) Equation Editor component to deliver harmful payloads to vulnerable PCs.
SideWinder’s toolkit also includes advanced obfuscation techniques, encryption with unique keys for each malicious file, multi-layer malware, and the separation of command-and-control (C2) infrastructure strings into separate malware components.
The three-stage infection sequence starts with rogue documents dumping an HTML Application (HTA) payload, which then loads a.NET-based module to install a second-stage HTA component designed to deliver a.NET-based installer.
In the following phase, this installer is in charge of both establishing persistence on the host and loading the final backdoor into memory. The implant, on the other hand, may capture files of interest as well as system data, among other things.
Over the last two years, the threat actor has used over 400 different domains and subdomains. The URLs used for C2 domains are divided into two portions, the first of which is provided in the.NET installer and the second of which is encrypted inside the second stage HTA module, adding an extra layer of security.
“This threat actor has a pretty high degree of expertise, employing a variety of infection routes and complex attack methodologies,” Kaspersky’s Noushin Shabab stated, recommending that businesses adopt the most recent versions of Microsoft Office to protect themselves against such assaults.