SideWinder APT Targets Maritime and Nuclear Sectors with Enhanced Toolset
The APT group SideWinder has been making waves in the cybersecurity world, targeting maritime, logistics, nuclear, telecom, and IT sectors across South Asia, Southeast Asia, the Middle East, and Africa. This group, also known as Razor Tiger, Rattlesnake, and T-APT-04, has been active since at least 2012, with a focus on targeting government institutions, military forces, and naval units in Central Asian countries.
In recent attacks, SideWinder has expanded its scope to include departments of Foreign Affairs, Scientific and Defence organisations, Aviation, IT industry, and Legal firms. The group's tactics have also evolved, with a growing emphasis on nuclear power plants and nuclear energy in South Asia.
A Large C2 Infrastructure
SideWinder maintains an extensive Command and Control (C2) infrastructure composed of over 400 domains and subdomains, which hosts malicious payloads and controls them. This network allows the group to coordinate its attacks and adapt quickly to security detections.
"Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours," warns Kaspersky researchers. "If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files." This adaptability makes it challenging for security teams to detect and mitigate SideWinder's attacks.
The Infection Pattern
SideWinder's infection pattern involves sending spear-phishing emails with a DOCX file attached. The document loads an RTF template file stored on a remote server controlled by the attacker, exploiting a Microsoft Office Memory Corruption flaw (CVE-2017-11882) to run malicious shellcode and initiate a multi-level infection process.
The final stage of the attack chain is a malware dubbed "Backdoor Loader," which loads a custom post-exploitation toolkit named "StealerBot." The "Backdoor Loader" component has undergone updates, with a new C++ version emerging that lacks anti-analysis techniques. This new variant appears to be tailored to specific targets, loading from a specific file path embedded in the code.
"These variants were likely used after the infection phase and manually deployed by the attacker within the already compromised infrastructure, after validating the victim," notes Kaspersky researchers. "Most detected bait documents focused on government and diplomatic matters, though some covered generic topics like car rentals, real estate, and freelance job offers."
A Persistent Threat Actor
SideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits," concludes the Kaspersky report. "Its basic infection method is the use of an old Microsoft Office vulnerability, CVE-2017-11882, which once again emphasizes the critical importance of installing security patches."
"Despite the use of an old exploit, we should not underestimate this threat actor," warns the researchers. "In fact, SideWinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government."
As the threat landscape continues to evolve, it's essential for organizations to stay vigilant and take proactive measures to protect themselves against advanced persistent threats like SideWinder.
Stay Safe
"Installing security patches and keeping software up-to-date can help prevent exploitation of known vulnerabilities," advises Kaspersky. "Regularly monitoring systems for suspicious activity, using robust security tools, and conducting regular security audits can also help mitigate the impact of SideWinder's attacks."
By taking these precautions, organizations can reduce their risk of falling victim to this sophisticated threat actor.
Stay Informed
Follow Kaspersky for the latest updates on advanced persistent threats and cybersecurity best practices. You can stay informed through our Twitter account (@securityaffairs), Facebook page, and Mastodon channel.