SideWinder Cyber Attacks Target Maritime Facilities Across Multiple Countries

July 30, 2024

The cyber threat actor known as SideWinder has initiated a new cyber espionage campaign that is focused on ports and maritime facilities situated in the Indian Ocean and the Mediterranean Sea. This information was revealed by the BlackBerry Research and Intelligence Team. The spear-phishing campaign has targeted various countries including Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

SideWinder, which has been operational since 2012, is also known by several other names such as APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger. The actor is believed to be associated with India. The group often uses spear-phishing to deliver malicious payloads that initiate the attack chains.

The Canadian cybersecurity company, in an analysis published last week, stated, "SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants." The recent attacks use lures related to sexual harassment, employee termination, and salary cuts to negatively affect the recipients' emotional state and trick them into opening booby-trapped Microsoft Word documents.

Upon opening the decoy file, a known security flaw (CVE-2017-0199) is exploited to establish contact with a malicious domain disguised as Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk[.]com") to retrieve an RTF file. The RTF document then downloads a document that exploits another security vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor with the objective of executing shellcode that launches JavaScript code, but only after confirming that the compromised system is legitimate and of interest to the threat actor.

The final payload delivered by the JavaScript malware is currently unknown, but it is likely aimed at intelligence gathering based on previous campaigns by SideWinder. BlackBerry stated, "The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions. The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future."

Related News

• Kimsuky's TRANSLATEXT Chrome Extension: A New Tool for Data Theft
• Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques
• Rise in USB-Based Cyberattacks on Operational Technology Systems
• Ukraine Targeted by Exploitation of Seven-Year-Old Microsoft Office Vulnerability
• TA558 Cybercriminals Exploit Images for Broad Malware Attacks

Latest News

• New 'Specula' Tool Exploits Outlook for Remote Code Execution
• Ransomware Gangs Actively Exploiting VMware ESXi Auth Bypass Vulnerability: Microsoft Warns
• Massive 'PKFail' Secure Boot Bypass Threatens Millions of Devices
• Acronis Alerts Users on Cyber Infrastructure Default Password Exploitation
• High-Severity DoS Vulnerabilities in BIND Software Suite Addressed by ISC