Group-IB uncovers SideWinder APT plot to steal Crypto

March 1, 2023 - TuxCare PR Team

Group-IB recently discovered a new phishing campaign believed to be the work of the notorious Chinese state-sponsored hacking group, Sidewinder.

The attacks, which began in January 2022 and are still ongoing, are thought to be part of a larger cyber espionage campaign aimed at stealing sensitive data from military and government agencies, as well as private sector companies.

The attacks, which began in January 2022 and continue to this day, are thought to be part of a larger cyber espionage campaign aimed at stealing sensitive data from military and government agencies, as well as private sector companies. The phishing emails are sophisticated and personalized, enticing victims to click on malicious links or download infected attachments.

After infecting a victim’s computer, the attackers can gain access to sensitive information such as login credentials, email archives, and other confidential data. The Sidewinder group has been active since at least 2012 and has been linked to a variety of espionage operations, including targeting foreign governments, military and defense contractors, and human rights organizations.

According to the researchers, the attackers attempted to steal user credentials by impersonating an airdrop of NCASH cryptocurrency. According to them, NCASH is used as a payment method in the Nucleus Vision ecosystem, which retail stores in India have been using. According to the researchers, they discovered a phishing link related to a cryptocurrency airdrop.

Users who visited the link (http://5[.]2[.]79[.]135/project/project/index.html) were asked to register in order to participate in an airdrop and receive tokens, though which ones were not specified. The user activates a script login.php by pressing the “Submit details” button, which researchers believe the group is using to further develop this attack vector.

Group-IB also discovered a trove of SideWinder-specific tools, only some of which had previously been described publicly, written in a variety of programming languages such as C++, C#, Go, Python (compiled script), and VBScript.

SideWinder, the group’s newest custom tool, is part of that arsenal. StealerPy, a Python-based information-stealer that has previously been used in phishing attacks against Pakistani organizations. The script can extract a victim’s Google Chrome browsing history, saved credentials, the list of folders in the directory, as well as meta information and the contents of.docx,.pdf, and.txt files. It’s a big part of the group’s reputation for carrying out “hundreds of espionage operations in a short period of time.”

The phishing emails are sophisticated and personalized, enticing victims to click on malicious links or download infected attachments. After infecting a victim’s computer, attackers can gain access to sensitive information such as login credentials, email archives, and other confidential data.

The Sidewinder group has been active since at least 2012 and has been linked to a variety of espionage operations, including targeting foreign governments, military and defense contractors, and human rights organizations. The group has also been linked to various Southeast Asian cyber espionage campaigns, including attacks on Vietnam, the Philippines, and Cambodia.

The findings did not confirm whether SideWinder’s attempts to compromise victims were successful.

The sources for this piece include an article in DarkReading.

Summary