Severity

High

Analysis Summary

Sidewinder is a suspected Indian threat actor group that has been active since 2012. They have been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are some of the other names for Sidewinder APT. This APT has been targeting Pakistani government officials with a decoy file related to NTC (National Telecom Corporation) in its most recent effort. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.

Sidewinder Group has been actively targeting the Government of Pakistan via phishing emails, dropping malicious Word documents which enables macro when downloaded and executed. The malicious file suspected of being used as an attachment has the name mail.hitt.pkgov.org/.

Impact

• Information Theft and Espionage

Indicators of Compromise

Domain Name

• pmo[.]nationalhelpdesk[.]pk
• sngpl[.]org[.]pk

IP

• 3[.]37[.]215[.]204
• 18[.]229[.]249[.]186
• 52[.]79[.]102[.]70
• 16[.]162[.]223[.]161
• 95[.]179[.]160[.]235
• 45[.]76[.]84[.]233

URL

• https[:]//mail[.]hitt[.]pkgov[.]org/

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.