Rewterz Threat Update – SideWinder Hackers Carried Out Over 1,000 Cyber Attacks Since April 2020

Severity

High

Analysis Summary

SideWinder, an APT group, is reported to have carried out over 1,000 attacks since April 2020. This APT group has been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are the aliases for Sidewinder APT. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.

SideWinder’s primary attack vector is sending convincing spear-phishing emails with malware-rigged document attachments to its carefully selected targets. The hacker group primarily uses existing Windows or Android vulnerabilities, including old Microsoft Office flaws, rather than zero-day exploits. In January 2020, researchers revealed that they had discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability that affected hundreds of millions of Android phones when it was first published (CVE-2019-2215). SideWinder has also been observed using the ongoing Russian-Ukrainian conflict as bait in its phishing attempts to spread malware and steal sensitive data.

The threat actor has a significant C2 infrastructure consisting of over 400 domains and subdomains that were utilized to host and handle malicious payloads. The first stage domains are used to host first-stage malware that accelerates the transmission of spear-phishing messages, to receive information obtained by first-stage malware, and to host second-stage payloads. The specialists observed several freshly registered domains that were most likely utilized to broaden the scope of the target list in other countries.

To avoid detection, the group used a variety of tactics, including numerous obfuscation techniques, encryption with unique keys for each malware sample, multi-layer malware strains, and memory-resident malicious payloads. This threat actor is quite sophisticated, employing a variety of infection channels and complex attack techniques. The last payload is a backdoor that allows attackers to take control of affected systems.

Experts also described the command and control domains employed in the attacks’ final stages. These domains’ C2 communications URLs are divided into two sections:

• The Installer module contains the initial component of the URL, which is the encrypted C2 server domain name.
• The second stage HTA module encrypts the second part of the URL.

Since this threat actor employs a variety of infection vectors and innovative attack techniques, organizations must adopt up-to-date versions of Microsoft Office to mitigate such attacks.

Impact

• Information Theft and Espionage

Remediation

• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.
• Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls