SideWinder, a likely India-based cyber-espionage group that has been active since 2012, recently ramped up attacks on organizations in the maritime and logistic sectors in Africa and Asia. In many of the attacks, the threat group has used variously themed phishing emails to lure targets into clicking on a malicious document. The document contains an exploit for CVE-2017-11882, a memory corruption vulnerability in Microsoft Office that SideWinder has used for years in its campaigns, to drop a post-exploitation toolkit called StealerBot on vulnerable systems.
See: https://redskyalliance.org/xindustry/sidewinder-cyber-attacks-maritime
The malware can execute a wide range of malicious actions, including installing additional malware, capturing screenshots and logging keystrokes on compromised systems, swiping passwords, grabbing remote desktop login information, stealing files, and escalating privilege. SideWinder has targeted maritime and logistics organizations in Egypt, Djibouti, United Arab Emirates, Bangladesh, Cambodia, and Vietnam, according to researchers from Kaspersky who have been tracking the attacks since early 2024. Researchers also observed attacks against entities in the nuclear energy sector. "Despite the use of an old exploit, we should not underestimate this threat actor," Kaspersky warned in a blog post this week. "In fact, SideWinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government."[1]
SideWinder's ramped up focus on maritime and logistics entities suggests the group has expanded its targeting beyond its usual sectors and once again widened the geographical scope of its operations. Security vendors consider SideWinder, aka RattleSnake and T-APT-04, a relatively prolific threat group with a long record of breaching organizations in South and Southeast Asia. Before the group's recent expansion into the maritime and logistic sectors, its primary targets have been government and military entities in countries neighboring India, such as Pakistan, Nepal, Sri Lanka, and China. The threat actor has also targeted foreign embassies and consulates in countries that include Afghanistan, France, China, Maldives, Turkey, and Bulgaria.
In July 2024, researchers from BlackBerry reported observing SideWinder launch its first attacks on maritime facilities in the Mediterranean Sea. Since then, the threat group has intensified those attacks, according to Kaspersky.
In a report during October 2024, Kaspersky described SideWinder as a group that many might underestimate because of its reliance on public exploits, remote access Trojans, and scripts as primary infection vectors. Unlike many advanced persistent threat actors, SideWinder is not known to possess a broad range of custom tooling, nor has it been associated with any zero-day exploits. Most of its attacks have involved well documented, and therefore easily detected, public exploits, RATs and malicious Windows shortcut (.LNK) files to execute commands, scripts, or payloads for initial access.
An analysis of the group's post-compromise activities and its apparently custom-developed StealerBot malware show SideWinder is a "highly advanced and dangerous adversary," Kaspersky concluded. "Their true capabilities only become apparent when you carefully examine the details of their operations," the anti-malware vendor noted in its October 2024 report.
SideWinder has deployed many of its usual tactics in the more recent attacks on maritime and logistics companies. The attacks started with a spear-phishing email with an attached DOCX file purporting to be about some governmental decisions or diplomatic issues of likely relevance to the targeted recipients. In some cases, the attached document in the phishing emails had themes related to nuclear energy and nuclear power plants, while others had completely random themes like car rentals in Bulgaria and a job opportunity for a freelance video game developer.
Opening the document triggers it to fetch a Rich Text Format (RTF) file from an attacker-controlled server, which then exploits CVE-2017-11882 to execute malicious shellcode on the victim's system. This triggers a multistep infection chain, eventually leading to the installation of a loader (Backdoor Loader) that fetches and runs the StealerBot in-memory implant.
"SideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits," Kaspersky cautioned. The threat actor has a demonstrated ability to quickly update its tools often in a matter of just hours to evade detection, the security vendor noted. Kaspersky urged organizations to patch CVE-2017-11882 and provided indicators of compromise, information on the domains and IPs SideWinder is using in its campaigns, and technical details of the threat actor's toolset.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/cyberattacks-data-breaches/sidewinder-intensifies-attacks-maritime-sector
Comments