Rewterz Threat Alert – APT Group SideWinder

Severity

High

Analysis Summary

SideWinder is a threat group that has existed since 2012, targeting military entities’ Windows machines. It is widely known to have targeted various military entities in different regions. Recently, three malicious apps were discovered by Trend micro which were working in corelation to target a victim’s device and collect user’s information.One of the three apps is called Camero, and it exploits a vulnerability that exists in Binder, which is the main Inter-Process Communication system in Android. It was documented that this is the first known active attack in the wild that uses the use-after-free vulnerability. The three apps were disguised as photography and file manager tools. In terms of installation, SideWinder installs the payload app in two stages. First, it downloads a DEX file in Android format from its command and control server.

Impact

Exposure of sensitive information

Indicators of Compromise

SHA-256

• ec4d6bf06dd3f94f4555d75c6daaf540dee15b18d62cc004e774e996c703cb34
• a60fc4e5328dc75dad238d46a2867ef7207b8c6fb73e8bd001b323b16f02ba00
• 0daefb3d05e4455b590da122255121079e83d48763509b0688e0079ab5d48886
• 441d98dff3919ed24af7699be658d06ae8dfd6a12e4129a385754e6218bc24fa
• ac82f7e4831907972465477eebafc5a488c6bb4d460575cd3889226c390ef8d5
• ee679afb897213a3fd09be43806a7e5263563e86ad255fd500562918205226b8
• 135cb239966835fefbb346165b140f584848c00c4b6a724ce122de7d999a3251
• a265c32ed1ad47370d56cbd287066896d6a0c46c80a0d9573d2bb915d198ae42

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Always install applications from play store from verified accounts.