Sidewinder Casts Wide Geographic Net in Latest Attack Spree

The elusive, India-based advanced persistent threat (APT) group SideWinder has unleashed a new flurry of attacks against high-profile entities and strategic infrastructure targets that span numerous countries in Asia, the Middle East, Africa, and even Europe, signaling an expansion of its geographic reach. The attacks also show the group is using an advanced post-exploitation toolkit dubbed "StealerBot" to further its cyber-espionage activity, researchers have found.

The state-sponsored group — active since 2012, publicly outed in 2018, and mainly known for attacking rivals in Pakistan, Afghanistan, China, and Nepal — has demonstrated a widening of its geographic scope in the last six months. The latest attacks, observed by researchers at Kaspersky and outlined in a post on the SecureList blog, for the first time revealed some of SideWinder's post-compromise activities, which have remained largely unknown despite years of study by researchers.

Specifically, SideWinder has lately targeted entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates in the attacks. Affected sectors are varied, and include: government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies. Attackers also targeted diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.

As for StealerBot, the researchers described the malware — which they believe is the main post-exploitation tool used by SideWinder — as "an advanced modular implant designed specifically for espionage activities."

SideWinder's Typical Cyberattack Chain

Though geography and post-exploit tactics vary, SideWinder used its typical attack chain in the latest spate of attacks. The group started with a spear-phishing email with an attachment, which is usually a Microsoft OOXML document — ie, .docx or .xlsx — or a .zip archive, which in turn contains a malicious .lnk file. This file triggers a multistage infection chain with various JavaScript and .NET downloaders, which ultimately ends with the installation of the StealerBot espionage tool for further activity.

The documents used in the spear-phishing part of the campaign often contain information obtained from public websites, "which is used to lure the victim into opening the file and believing it to be legitimate," Kaspersky lead security researchers Giampaolo Dedola and Vasily Berdnikov wrote in the post. In this case, some of the email lures included public photos, images, and references to diplomatic and other activity that might be of interest to the intended target.

All the documents in the attacks use the remote template injection technique to download an .rtf file that is stored on a remote server controlled by the attackers. These files are specifically crafted to exploit CVE-2017-11882, a 7-year-old memory corruption vulnerability in Microsoft Office software, to download further shellcode and malware that uses various tricks to avoid sandboxes and complicate analysis, the researchers said. The ultimate purpose of the malware is to extricate data from infected systems and conduct cyberespionage.

New StealerBot Modular Malware

StealerBot, so-named by the attacker, is a modular implant developed with .NET to perform espionage activities. Rather than loading the malware's components on the filesystem of the infected machine, as is typical, the attack chain observed by the researchers loads them into memory by one of the numerous modules of the malware, which in this case acts as a backdoor loader that attackers dubbed "ModuleInstaller."

That module is a downloader that deploys the Trojan that SideWinder uses to maintain a foothold on compromised machines. It's a tool previously wielded by the group and observed by Kaspersky, but not unveiled publicly until now, the researchers noted.

The attackers designed ModuleInstaller to drop at least four files: a legitimate and signed application used to sideload a malicious library; a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules; a malicious library; and an encrypted payload. "We observed various combinations of the dropped files," the researchers noted.

Another module, called the "Orchestrator," is the main component of the malware that communicates with SideWinder command-and-control (C2) and executes and manages the other malware plugins. All told, StealerBot includes various modules for: installing additional malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, stealing files, phishing Windows credentials, and escalating privileges by bypassing user account control (UAC), among other activities.

Largely Underestimated Attackers

SideWinder long has been perceived as a low-skilled threat group due to its use of public exploits and remote access Trojans (RATs), as well as malicious .lnk files and scripts as infection vectors, according to Kaspersky. However, they should not be underestimated by defenders, as "their true capabilities only become apparent when you carefully examine the details of their operations," the researchers wrote.

As the new wave of attacks shows "a significant expansion of the group’s activities," those who may be targeted should be on alert and aware of the threat posed by the group, they said.

To help defenders recognize the presence of SideWinder and its tool StealerBot on their networks, the researchers included a comprehensive list of indicators of compromise (IoCs) for various stages of the attack in their post.

The IoCs include references to malicious documents, and .rtf and .lnk files, as well as specific IoCs to various modules of StealerBot. A long list of malicious domains and IPs associated with the attacks also is included in the post.