Researchers
have
linked
the
slippery
SideWinder
APT
to
two
malicious
campaigns
—
one
in
2020
and
one
in
2021
—
that
add
more
volume
to
an
attack
spree
attributed
to
the
prolific
threat
actor
over
the
past
several
years
and
demonstrate
how
extensive
its
arsenal
of
tactics
and
tools
really
is.
A
report
published
this
week
by
Group-IB
links
SideWinder
(aka
Rattlesnake
or
T-APT4)
to
a
known
2020
attack
on
the
Maldivian
government,
as
well
as
a
previously
unknown
series
of
phishing
operations
that
targeted
organizations
in
Afghanistan,
Bhutan,
Myanmar,
Nepal,
and
Sri
Lanka
between
June
and
November
2021.
The
findings
show
the
group
casting
a
far
wider
net
than
previously
thought
using
a
trove
of
tools,
including
previously
unidentified
remote
access
Trojans
(RATs),
backdoors,
reverse
shells,
and
stagers.
Researchers’
investigation
of
these
attacks
also
links
the
group
to
other
known
APTs,
including
Baby
Elephant
—
which
may
in
fact
be
SideWinder
itself
—
and
Donot
APT,
they
said.
The
report
also
sheds
more
light
on
the
geographically
dispersed
nature
of
the
group’s
operations,
with
researchers
uncovering
IP
addresses
controlled
by
SideWinder
located
in
the
Netherlands,
Germany,
France,
Moldova,
and
Russia,
the
researchers
said.
SideWinder,
active
since
2012,
was
detected
by
Kaspersky
in
the
first
quarter
of
2018
and
thought
to
primarily
target
Pakistani
military
infrastructure.
However,
this
latest
report
shows
that
the
target
range
of
the
group
—
widely
believed
to
be
associated
with
Indian
espionage
interests
—
is
far
broader
than
that.
“SideWinder
has
been
systematically
attacking
government
organizations
in
South
and
East
Asia
for
espionage
purposes
for
about
10
years,”
Dmitry
Kupin,
a
senior
malware
analyst
on
Group-IB’s
Threat
Intelligence
team,
wrote
in
the
report.
Specifically,
researchers
identified
more
than
60
targets
—
including
government
bodies,
military
organizations,
law
enforcement
agencies,
central
banks,
telecoms,
media,
political
organizations,
and
more
—
of
the
newly
identified
phishing
campaign.
The
targets
are
located
in
several
countries,
including
Afghanistan,
Bhutan,
Myanmar,
Nepal,
and
Sri
Lanka.
Sophisticated
Phishing
Resources
The
phishing
attacks
—
in
which
SideWinder
impersonates
known
entities
in
an
attempt
to
lure
victims
—
also
demonstrated
how
vast
its
phishing
infrastructure
is,
the
researchers
said.
This
makes
sense,
as
spear-phishing
has
long
been
the
group’s
initial-access
method,
they
said.
The
phishing
findings,
which
did
not
confirm
whether
SideWinder
was
successful
in
its
attempts
to
compromise
victims,
also
reveal
something
previously
unknown
about
the
group:
an
interest
in
targeting
cryptocurrency.
In
the
phishing
attacks
between
June
2021
and
November
2021,
the
group
impersonated
both
the
Central
Bank
of
Myanmar,
using
a
website
in
its
arsenal
that
imitates
the
financial
institution,
as
well
as
a
contactless
Internet
of
Things
(IoT)
payment
system
used
in
India
called
Nucleus
Vision,
also
known
as
Nitro
Network.
The
campaigns
also
are
notable
because
they
demonstrate
SideWinder
trying
to
steal
cryptocurrency
by
imitating
an
Airdrop
of
NCASH
crypto,
the
researchers
said.
NCASH
is
used
as
a
payment
means
in
the
Nucleus
Vision
ecosystem,
which
retail
stores
in
India
have
been
using,
they
said.
Specifically,
researchers
uncovered
a
phishing
link
related
to
Airdrop
—
an
Apple
technology
for
sending
files
via
its
mobile
devices.
When
users
visited
the
link
(http://5[.]2[.]79[.]135/project/project/index.html)
they
were
asked
to
register
in
order
to
participate
in
an
Airdrop
and
receive
tokens,
though
it
was
not
specified
which
ones.
By
pressing
the
“Submit
details”
button,
the
user
activates
a
script
login.php,
which
researchers
believe
the
group
is
using
to
further
develop
this
attack
vector.
Tools
and
Telegram
Group-IB
also
discovered
a
trove
of
custom
tools
used
by
SideWinder,
only
some
of
which
had
been
described
publicly
before,
developed
in
various
programming
languages
including
C++,
C#,
Go,
Python
(compiled
script),
and
VBScript.
Part
of
that
arsenal
is
the
group’s
newest
custom
tool,
SideWinder.AntiBot.Script,
an
info-stealer
written
in
Python
and
used
in
previously
documented
phishing
attacks
against
Pakistani
organizations.
The
script
can
extract
a
victim’s
browsing
history
from
Google
Chrome,
credentials
saved
in
the
browser,
the
list
of
folders
in
the
directory,
as
well
as
meta
information
and
contents
of
.docx,
.pdf,
and
.txt
files.
It’s
a
key
part
of
the
group’s
notoriety
for
conducting
“hundreds
of
espionage
operations
within
a
short
span
of
time,”
Kupin
wrote.
Another
and
perhaps
the
“most
interesting
finding”
regarding
SideWinder’s
tools
arsenal
were
RAT
samples
that
used
the
Telegram
messaging
app
as
a
channel
for
receiving
the
results
of
malware
commands
and
thus
retrieve
data
stolen
from
compromised
systems,
Kupin
noted.
This
tactic
is
increasingly
becoming
a
hallmark
of
many
advanced
threat
actors,
he
said.
How
to
Stave
Off
SideWinder
The
report
includes
a
vast
array
of
indicators
of
compromise
as
well
as
URLs
associated
with
SideWinder
attacks.
Because
like
many
other
APT
groups
SideWinder
relies
on
targeted
spear-phishing
as
the
initial
attack
vector,
it’s
important
for
organizations
“to
set
up
business
email
protection
solutions
that
are
capable
of
detonating
malicious
attachments
in
an
isolated
virtual
environment,”
Kupin
tells
Dark
Reading.
Enterprises
should
also
do
socially
engineered
penetration
tests
so
employees
can
quickly
recognize
phishing
emails
that
reach
inboxes,
he
adds.
Organizations
at
risk
from
SideWinder
also
should
continuously
monitor
network
activity
within
the
organization’s
perimeter
by
employing
managed
extended
detection
and
response
(MXDR)
solutions
that
are
regularly
updated
with
fresh
network
indicators
and
rules,
Kupin
says.
About Author
