Rewterz Threat Alert – Donot APT Group – Active IOCs
April 8, 2022Rewterz Threat Alert – UNC788, Unreported Hacking Group, and Hybrid Operations – Active IOCs
April 8, 2022Rewterz Threat Alert – Donot APT Group – Active IOCs
April 8, 2022Rewterz Threat Alert – UNC788, Unreported Hacking Group, and Hybrid Operations – Active IOCs
April 8, 2022Severity
High
Analysis Summary
Sidewinder is a suspected Indian threat actor group that has been active since 2012. They have been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are some of the other names for Sidewinder APT. This APT has been targeting Pakistani government officials with a decoy file related to NTC (National Telecom Corporation) in its most recent effort. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.
Impact
- Information Theft and Espionage
Indicators of Compromise
Filename
- ISPS Security Audit Report – 01st Quarter Port of Hambanthota[.]docx
MD5
- 2a3cee44a5876ea5bb3d49fec00365c1
SHA-256
- 37baf7415c755688e1e89679130b5cfd713d662330734eb310089d1f2afd82b8
SHA-1
- 9c0f95573449531c78f31b476cc68f28a57e16f3
URL
- https[:]//srilankanavy[.]ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file[.]rtf
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.