SideWinder, an APT group, is reported to have carried out over 1,000 attacks since April 2020. This APT group has been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are the aliases for Sidewinder APT. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.
SideWinder’s primary attack vector is sending convincing spear-phishing emails with malware-rigged document attachments to its carefully selected targets. The hacker group primarily uses existing Windows or Android vulnerabilities, including old Microsoft Office flaws, rather than zero-day exploits. In January 2020, researchers revealed that they had discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability that affected hundreds of millions of Android phones when it was first published (CVE-2019-2215). SideWinder has also been observed using the ongoing Russian-Ukrainian conflict as bait in its phishing attempts to spread malware and steal sensitive data.
The threat actor has a significant C2 infrastructure consisting of over 400 domains and subdomains that were utilized to host and handle malicious payloads. The first stage domains are used to host first-stage malware that accelerates the transmission of spear-phishing messages, to receive information obtained by first-stage malware, and to host second-stage payloads. The specialists observed several freshly registered domains that were most likely utilized to broaden the scope of the target list in other countries.
To avoid detection, the group used a variety of tactics, including numerous obfuscation techniques, encryption with unique keys for each malware sample, multi-layer malware strains, and memory-resident malicious payloads. This threat actor is quite sophisticated, employing a variety of infection channels and complex attack techniques. The last payload is a backdoor that allows attackers to take control of affected systems.
Experts also described the command and control domains employed in the attacks’ final stages. These domains’ C2 communications URLs are divided into two sections:
Since this threat actor employs a variety of infection vectors and innovative attack techniques, organizations must adopt up-to-date versions of Microsoft Office to mitigate such attacks.