SideWinder APT Attacks Entities In Middle East And Africa
Recent reports have claimed that an advanced president threat (APT) group with ties to India has launched multiple attacks in the Middle East and Africa. The threat actor group, being referred to as the SideWinder APT, has mainly targeted high-profile entities. In this article, we’ll dive into the attacks and uncover the exploited flaws. Let’s begin!
The SideWinder APT Attack Group Unveiled
Before diving into the details of the group, it’s worth mentioning that SideWinder APT threat actor goes by multiple names that include APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. Providing further insights about the threat actor, cyber security researchers from Kaspersky have stated that:
“The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations.”
As per recent reports, the SideWinder APT has targeted various sectors in multiple countries that include:
Sectors | Countries |
|
|
Apart from these targets, the threat actors have also been observed targeting diplomatic entities pertaining to Afghanistan, France, China, India, Indonesia, and Morocco.
Details Of The Attack Campaign
One of the key aspects of the SideWinder APT attack campaigns is its use of a multi-stage infection chain. This infection chain is designed to deliver a post-exploitation toolkit called StealerBot. Attacks orchestrated by the SideWinder APT hacker start with a spear-phishing email. The email contains one of two payloads mentioned below.
- A ZIP archive with a Windows shortcut (LNK) file.
- A Microsoft Word document.
Either of these payloads can be used for executing JavaScript and .NET downloads which deploy the StealerBot malware. While the Word document relies on remote template injections and exploits CVE-2017-11882, the LNK file uses the mshta.exe utility to run JavaScript code.
As of now, media reports have stated that the end goal of the SideWinder APT attacks is to aid espionage by fetching plugins that be used for various malicious initiatives like:
- Install additional malware.
- Acquiring screenshots.
- Enregistrement des frappes au clavier.
- Stealing passwords and files.
- Intercepting RDP credentials.
- Starting reverse shell.
- Phishing Windows credentials.
- Escalating privileges.
Conclusion
The SideWinder APT group’s sophisticated multi-stage attacks highlight its evolving capabilities in espionage and cyber warfare. By targeting high-profile sectors and leveraging tools like StealerBot, the group poses a significant threat to global cybersecurity, requiring vigilant defenses and advanced countermeasures to mitigate its impact.
The sources for this piece include articles in The Hacker News and Kaspersky.