Rewterz Threat Alert – APT SideWinder Group Targeting Victims In Pakistan And Turkey Using Server-Based Polymorphism Technique – Active IOCs

Severity

High

Analysis Summary

The researchers has been monitoring the activities of the SideWinder advanced persistent threat (APT) group, and they have discovered a new campaign by the group that targets Pakistan government organizations. The APT group uses a server-based polymorphism technique to deliver the next stage payload, which makes it harder for security software to detect and block the malware.

Server-side polymorphism is a technique used by threat actors and other distributors of malware to evade detection by antivirus scanners. Polymorphic malware is a malicious code that changes its appearance through encryption and obfuscation, making each sample unique and difficult to detect. This property makes it challenging for traditional antivirus software that relies on signatures to detect malware.

The Sidewinder APT group is known for its sophisticated attacks against government and military organizations in the South Asia region with a particular focus on Pakistan, Afghanistan, China, and Nepal. The group has been active since at least 2012 and has been linked to espionage and intelligence gathering activities.

The group’s latest campaign leveraging server-side polymorphism to deliver the next stage payload began in late November 2022 and was designed to target Pakistan government officials. The campaign utilized malicious documents that were created to trick officials by displaying convincing content relevant to their interests.

As part of the investigation, the research and intelligence team analyzed the documents used in the campaign to identify various artifacts that could be used to potentially locate other files of interest. One of the documents analyzed was titled “GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)”.

They also used another malicious document in early December 2022. This document was titled “PK_P_GAA_A1_Offerred.docx” and was eight pages long. The document purported to be a letter of offer and acceptance “for the purchase of defense articles, defense services, or both.”

One interesting aspect of the SideWinder APT group’s latest campaign is that none of the documents used an embedded malicious macro code to deliver the next stage payload. Instead, the APT group exploited the CVE-2017-0199 vulnerability, also known as remote template injection.

In the case of the “GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).doc” malicious lure, the template was instructed to reach out to the remote address of hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf. The domain name “pnwc[.]bol-north[.]com” used in this campaign resolved to the IP address 5.230.73[.]106.

In the case of the “PK_P_GAA_A1_Offerred.docx” malicious lure, the template was instructed to reach out to the remote address of “hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf” to download the next stage payload. The domain “paknavy-gov-pk[.]downld[.]net” in this instance resolves to the IP address 185.205.187[.]234.



It’s worth noting that cybercriminals often use domains that resemble legitimate ones to deceive victims and evade detection by security solutions. In this case, the use of a domain name that closely resembles the official domain of Pakistan’s navy (paknavy.gov.pk) may have made the lure more convincing to potential victims.

The SideWinder APT group’s primary targets remain government organizations in Pakistan. However, in early March 2023, the researchers identified a new campaign targeting Turkey. It’s worth noting that while the group’s main focus is on Southeast Asian regions such as Pakistan and Sri Lanka, they have also been known to target other countries in the past.

APT groups like SideWinder are known for their persistence and focus on specific targets, often with political or strategic motivations. To protect against such threats, organizations should implement robust security measures, including up-to-date endpoint protection, network segmentation, regular vulnerability assessments and penetration testing, and employee training on best practices for cybersecurity hygiene. It is also important to monitor for any suspicious activity and have a well-defined incident response plan in place to respond quickly and effectively in the event of a cyberattack.

Impact

• Information Theft and Espionage

Indicators of Compromise

Domain Name

• slpa.mod-gov.org
• mailnavymilbd.govpk.net

IP

• 5.230.73.106

MD5

• 3b853ae547346befe5f3d06290635cf6
• ef00004a1ebc262ffe0fb89aa5524d42
• 6c7d24b90f3c6b4383bd7d08374a0c6f

SHA-256

• bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f
• a3283520e04d7343ce9884948c5d23423499fa61cee332a006db73e2b98d08c3
• 4db0a2d4d011f43952615ece8734ca4fc889e7ec958acd803a6c68b3e0f94eea

SHA-1

• dbdc7073a29e53aa16340d0c3da22680168aea94
• 05ebfd620475269c1228f87048c237a276745f1f
• 33657ac7b0b7793c21a5a1ea6a78c72fa48857e1

URL

• https://paknavy-gov-pkp.downld.net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file.rtf
• https://pnwc.bol-north.com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file.rtf
• https://cstc-spares-vip-163.dowmload.net/14668/1/1228/2/0/0/0/m/files-403a1120/file.rtf
• https://mtss.bol-south.org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file.rtf
• https://paknavy-gov-pk.downld.net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file.rtf

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have
• access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them
• regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.