Rewterz Threat Alert – SideWinder Threat Actors Targeting Pakistani Entities Using Fake Android VPN Apps – Active IOCs

Severity

High

Analysis Summary

Researchers discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17), a threat actor originating from India and particularly targeting Pakistan. SideWinder.AntiBot.Script, a newly found bespoke tool, is being utilized in a phishing attack against Pakistani targets.

They discovered 92 IP addresses used by SideWinder APT for phishing emails during the previous year. The group’s major attack vectors are phishing URLs in emails or posts that seem like authentic notifications and services from Pakistani government institutions and organizations. SideWinder has recently begun to screen its victims using an anti-bot script; they are solely interested in Pakistani users. The group is still distributing malicious files in ZIP archives that contain an LNK file that downloads an HTA file from a remote site. Researchers alerted the relevant local authorities and shared their findings to ensure that the issue could be detected and mitigated at early stages. They also uncovered a phishing document earlier this year that enticed victims with the lure of “a formal debate of the impact of the US departure from Afghanistan on maritime security. Phishing campaigns associated with the SideWinder threat actor group involved a fake VPN app for Android devices published on the Google Play Store, as well as a bespoke tool that filters victims for improved targeting.

The current phishing campaign utilized this method against targets as well, with the actor setting up various websites that looked like real Pakistani government domains like finance.pakgov[.]net, vpn.pakgov[.]net, and others. A fake version of the ‘Secure VPN’ software on Google Play was identified during the investigation. This app can pinpoint people of interest and lead them to a malicious website. The official Android app store is likewise a forgery.

These apps can gather important parameters from hosts and send them back to their C2. Location, Battery status, Files on device, Sensor information, Device information, Camera information, Screenshot, Account, Wifi information, and more are examples of such parameters. The adversary used a custom tool which has recently been introduced to their arsenal, known as SideWinder.AntiBot.Script. If the script detects a visitor from a Pakistani IP address, it redirects them to a malicious website. It can also determine how many logical processors the system has and what visual card the host is using. The script’s most important function is to provide a malicious file and redirect a non-interest target to a genuine resource.

According to the findings, SideWinder’s infrastructure is broadly spread, allowing it to deploy additional command and control servers to support phishing operations.

Impact

• Information Theft and Espionage

Indicators of Compromise

Domain Name

• finance[.]pakgov[.]net
• vpn[.]pakgov[.]net
• csd[.]pakgov[.]net
• hajj[.]pakgov[.]net
• nadra[.]pakgov[.]net
• pt[.]pakgov[.]net
• flix[.]pakgov[.]net
• covid[.]pakgov[.]net

IP

• 198[.]252[.]108[.]29
• 5[.]2[.]75[.]227
• 158[.]255[.]211[.]42
• 103[.]25[.]60[.]137
• 5[.]230[.]67[.]166
• 92[.]118[.]190[.]163
• 5[.]230[.]67[.]22
• 45[.]138[.]172[.]23
• 5[.]2[.]72[.]165
• 5[.]2[.]70[.]111
• 92[.]118[.]190[.]165
• 83[.]171[.]239[.]231
• 46[.]30[.]189[.]247
• 79[.]141[.]165[.]219
• 172[.]96[.]189[.]194
• 203[.]9[.]150[.]233
• 190[.]211[.]254[.]170
• 5[.]230[.]67[.]191
• 92[.]118[.]190[.]118
• 5[.]252[.]179[.]18
• 5[.]182[.]206[.]168
• 103[.]199[.]16[.]131
• 194[.]180[.]191[.]8
• 185[.]225[.]17[.]85
• 185[.]225[.]17[.]46
• 134[.]255[.]235[.]156
• 194[.]180[.]174[.]223
• 91[.]208[.]52[.]78
• 62[.]113[.]255[.]106
• 45[.]131[.]66[.]28
• 94[.]158[.]245[.]204
• 92[.]118[.]190[.]122
• 5[.]252[.]179[.]197
• 2[.]56[.]245[.]21
• 45[.]89[.]127[.]244
• 91[.]208[.]52[.]217
• 103[.]199[.]16[.]30
• 185[.]225[.]17[.]227
• 94[.]158[.]245[.]67
• 185[.]225[.]19[.]92
• 185[.]243[.]115[.]154
• 91[.]208[.]52[.]58
• 213[.]170[.]133[.]190
• 213[.]170[.]133[.]173
• 45[.]159[.]48[.]19
• 5[.]255[.]103[.]63
• 103[.]199[.]17[.]124
• 94[.]158[.]245[.]32
• 45[.]159[.]48[.]193
• 45[.]147[.]228[.]127
• 185[.]158[.]114[.]118
• 5[.]252[.]178[.]129
• 62[.]113[.]245[.]81
• 212[.]83[.]46[.]186
• 185[.]163[.]45[.]140
• 104[.]128[.]189[.]34
• 155[.]94[.]160[.]234
• 185[.]163[.]45[.]42
• 185[.]163[.]45[.]92
• 45[.]89[.]127[.]246
• 91[.]200[.]103[.]211
• 185[.]243[.]112[.]90
• 94[.]158[.]245[.]66
• 185[.]163[.]47[.]254
• 46[.]30[.]188[.]169
• 193[.]19[.]119[.]141
• 185[.]163[.]45[.]6
• 193[.]142[.]58[.]139
• 92[.]118[.]190[.]160
• 96[.]9[.]211[.]165
• 96[.]9[.]211[.]156
• 45[.]159[.]48[.]22
• 185[.]225[.]19[.]142
• 185[.]248[.]100[.]149
• 5[.]181[.]156[.]244
• 45[.]89[.]127[.]240
• 5[.]181[.]156[.]107
• 185[.]163[.]45[.]63
• 212[.]83[.]46[.]184
• 5[.]252[.]195[.]161
• 45[.]86[.]163[.]49
• 185[.]163[.]45[.]46
• 91[.]208[.]52[.]215
• 45[.]86[.]163[.]115
• 45[.]86[.]162[.]75
• 45[.]155[.]173[.]197
• 5[.]252[.]195[.]55
• 5[.]252[.]195[.]27

URL

• http[:]//faujifoundation[.]bitlyy[.]me/offer-55f9918f
• https[:]//finance[.]pakgov[.]net/salary-a4222e91
• https[:]//finance[.]govpk-mail[.]net/financecircular-38149cbd
• http[:]//smstest[.]kdf-mail[.]com/147632-86182096
• https[:]//askari[.]bitlyy[.]me/offer-eaec3587
• http[:]//news[.]dawnpk[.]org/pk-9a6d7f1e
• http[:]//islamicfinder[.]bitlyy[.]me/pk-5bc259ee
• https[:]//pkflix[.]tin-url[.]com/pkflix-71e35ba2
• https[:]//nadra[.]pakgov[.]net/certificate-b14a482c
• http[:]//shoprex[.]bitlyy[.]me/offers-2cedda5a
• https[:]//covid[.]pakgov[.]net/guidelines-a44a9d99
• https[:]//telemart[.]bitlyy[.]me/deals-3affd2bb
• https[:]//xyz[.]kdf-mail[.]com/1596-f35d483e
• http[:]//vpn[.]pakgov[.]net/Download-3b00fd1a
• https[:]//hajjplanner[.]tin-url[.]com/trip-687b5e5f

Remediation

• Look for IOCs in your surroundings.
• Disable all threat indicators at your respective controls
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.
• Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.