The initial access is obtained using spear-phishing link techniques by including clickable URLs in the PDF lure. The adversary may use client execution exploitation techniques to exploit client apps and run code. The attackers then disguise their malicious activities through masquerading, storing files inside user directories, and hiding artifacts, such as hidden windows.

The campaign employs several techniques for OS credential dumping, such as using web session cookies, looking for passwords that aren't secure, and getting credentials from web browsers and password databases. The threat actors obtain data about the system and installed applications through registry queries and system information discovery. The data is gathered from local computers, and the intruders especially search for sensitive and interesting files.

The attackers also interact and blend in with the current traffic by using encrypted channels and application layer protocols, and disrupting system availability and network resources is achieved by data deletion. This campaign shows how threat actors keep evolving their methods for achieving their goals of data theft and cyber espionage. Organizations need to stay vigilant when downloading attachments or clicking on links received in emails from unknown senders.

Impact

• Code Execution
• Sensitive Data Theft
• Credential Theft
• Data Loss

Indicators of Compromise

Domain Name

• info.goverment-pk-update.top

MD5

• d4eb4cee8aeb6f2ea36afadeda9dbb23
• 38f96b882363cb659d4cabec49bf605c

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before attackers exploit them.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.