Rewterz Threat Alert – Nanocore Rat – Active IOCs
March 17, 2022Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
March 17, 2022Severity
High
Analysis Summary
Sidewinder is a suspected Indian threat actor group that has been active since 2012. They have been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are the aliases for Sidewinder APT. This APT has been targeting Pakistani government officials with a decoy file related to FOCUSED TALK ON RUSSIAN UKRAINE CONFLICT IMPACT ON PAKISTAN in its most recent effort. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.
Sidewinder Group has been actively targeting the Government of Pakistan via phishing emails, dropping malicious Word documents which enables macro when downloaded and executed. The malicious file suspected of being used as an attachment has the name FOCUSED TALK ON RUSSIAN UKRAINE CONFLICT.docx
Impact
- Information Theft and Espionage
Indicators of Compromise
Filename
- FOCUSED TALK ON RUSSIAN UKRAINE CONFLICT[.]docx
IP
- 209[.]197[.]3[.]8
MD5
- bbc955b1289b4f90fdfb8906606597e9
SHA-256
- f765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca
SHA-1
- 6811b418c052baec7e74260e36e6e3cd34b202b0
URL
- https[:]//maritimepakistan[.]kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file[.]rtf
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.