Sidewinder APT Group Expands Geographic Reach in Latest Cyberattack Spree

October 16, 2024

The Sidewinder APT group, known to be sponsored by India, has broadened its attack scope, targeting multiple entities across Asia, Africa, the Middle East, and Europe. The group's recent activities reveal the use of a new post-exploit tool, StealerBot, to enhance its cyber-espionage operations.

Sidewinder, active since 2012 and publicized in 2018, has historically attacked adversaries in Pakistan, Afghanistan, China, and Nepal. However, the past six months have seen a significant expansion of its geographic scope. Kaspersky researchers have observed the group's recent attacks and provided insights into some of Sidewinder's post-compromise activities.

The APT group has recently targeted entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the UAE. The impacted sectors include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies. Diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco have also been targeted.

The researchers describe StealerBot as 'an advanced modular implant designed specifically for espionage activities.' The group's attack chain remains consistent, starting with a spear-phishing email with an attachment, usually a Microsoft OOXML document or a .zip archive containing a malicious .lnk file. This initiates a multistage infection chain that ultimately results in the installation of the StealerBot tool.

The spear-phishing emails often contain information from public websites, intended to trick the victim into opening the file. The documents use the remote template injection technique to download an .rtf file stored on a remote server controlled by the attackers. These files exploit the CVE-2017-11882 vulnerability in Microsoft Office software to download further shellcode and malware, ultimately aiming to extract data from infected systems.

StealerBot, developed with .NET, is a modular implant designed for espionage activities. The attack chain loads the malware's components into memory, deploying a Trojan that Sidewinder uses to maintain a foothold on compromised machines. The ModuleInstaller acts as a downloader that deploys the Trojan, while another module, the 'Orchestrator,' communicates with Sidewinder's command-and-control center and manages other malware plugins.

Despite Sidewinder's perceived low-skilled threat group status due to its use of public exploits and remote access Trojans (RATs), the group's true capabilities are evident when examining the details of their operations. The researchers warn potential targets to be alert and aware of the threat posed by the group. They have also provided a comprehensive list of indicators of compromise (IoCs) to help defenders recognize the presence of Sidewinder and StealerBot on their networks.

Related News

• SideWinder Cyber Attacks Target Maritime Facilities Across Multiple Countries
• Kimsuky's TRANSLATEXT Chrome Extension: A New Tool for Data Theft
• Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques
• Rise in USB-Based Cyberattacks on Operational Technology Systems
• TA558 Cybercriminals Exploit Images for Broad Malware Attacks

Latest News

• Critical Vulnerability in Kubernetes Image Builder Allows Root SSH Access to VMs
• North Korean Group ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware
• Critical Vulnerability in GitHub Enterprise Server Addressed
• China Denounces U.S. Claims of Volt Typhoon Cyber Espionage, Alleges Fabrication
• Nation-State Threat Actors Exploit Ivanti CSA Zero-Day Vulnerabilities