March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Advisory – CVE-2022-21523 – Oracle BI Publisher Vulnerability
July 21, 2022
Rewterz Threat Advisory – CVE-2022-21429 – Oracle Communications Billing and Revenue Management Vulnerability
July 21, 2022
Rewterz Threat Advisory – CVE-2022-21523 – Oracle BI Publisher Vulnerability
July 21, 2022
Rewterz Threat Advisory – CVE-2022-21429 – Oracle Communications Billing and Revenue Management Vulnerability
July 21, 2022
Severity
High
Analysis Summary
Sidewinder is a suspected Indian threat actor group that has been active since 2012. They have been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are the aliases for Sidewinder APT. This APT has been targeting Pakistani government officials with a decoy file related to FOCUSED TALK ON RUSSIAN UKRAINE CONFLICT IMPACT ON PAKISTAN. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.
In June, 2022, researchers discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17), a threat actor originating from India and particularly targeting Pakistan. SideWinder.AntiBot.Script, a newly found bespoke tool, was utilized in a phishing attack against Pakistani targets.
In July, cyberattacks by Sidewinder APT targeted Pakistani military targets. According to researchers, the Pakistan Air Force Headquarters was the target of the latest Sidewinder strike. While malware file analysis on Virus Total frequently exposes the identification of the attack campaign’s targets, it is unusual to find proof that the attack was successful.
Recently, this group used the domain “ksew.kpt-gov[.]org” which is pretending to be the Karachi Port Trust website “http://kpt.gov.pk”
Image Source:
Impact
- Information Theft and Espionage
Indicators of Compromise
Domain Name
- ksew[.]kpt-gov[.]org
MD5
- 1ab1b0b87a2928d0b6c6f60f036196ce
SHA-256
- cd1a9ae4a3968643a6fb41b36b67838d952dac83ad63c63ce4ad3c672fac31b8
SHA-1
- 989a7b09295ff5f84cdd7a204802472bfb957dbd
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.