Analysis Summary

A new cyber-espionage campaign targeting ports and maritime facilities in the Mediterranean Sea and Indian Ocean has been linked to the nation-state threat actor SideWinder.

Targets of the spear-phishing attack, according to the researchers who uncovered the activity, include Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder is said to be associated with India. It is also known by the aliases APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger. Since it started operating in 2012, it has frequently used spear-phishing as a conduit to send harmful payloads that start attack chains.

To evade detection and deploy targeted implants, SideWinder uses document exploitation, DLL side-loading, and spear-phishing emails. The most recent round of attacks uses lures associated with firing employees and pay reductions to manipulate victims' emotions and deceive them into opening malicious Microsoft Word documents. When the decoy file is viewed, it uses a known security vulnerability (CVE-2017-0199) to connect to a malicious domain that impersonates the Directorate General Ports and Shipping of Pakistan to obtain an RTF file.

The RTF document then downloads another document that takes advantage of a long-standing security flaw in Microsoft Office Equation Editor, CVE-2017-11882, to launch JavaScript code through shellcode—but only after making sure the compromised system is real and valuable to the threat actor. Although the ultimate purpose of the JavaScript malware is probably intelligence collection, it is currently unknown what is supplied by it. This is based on previous campaigns that SideWinder has launched.

To target victims in new regions, the SideWinder threat actor is enhancing its infrastructure. The consistent development of SideWinder's delivery payloads and network infrastructure indicates that it will likely carry out more attacks shortly.

Impact

• Cyber Espionage
• Unauthorized Access
• Sensitive Data Theft

Indicators of Compromise

MD5

• 9a1c49322a9d950c047c2edfc781b778
• 379edeaa9ed92ebe6091177417b2c751
• 3233db78e37302b47436b550a21cdaf9
• 2462db3be57df824f003f74d7a16cacb

SHA-256

• 9572312a12605c6a6ea6447af6fc063f4196aeba523ed38ce2c5ff51c33d4831
• 006e5fe0c01712391c54319a9d1579d7208f3cfa9f49fe56a14d93f0d0e8928b
• 613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a
• 142c6a4c7e9efbf6f3176df3ff218449bb4f7b2a69d60060e6339f1c3cc95d93

SHA1

• 79478f0831c8dbf3e5a761cd33826ec992676311
• 38210349974efaf4d7aac78538d04aa2256e4e99
• 3f26b7480d1db1234b998c65fae542c6fee0ef21
• d7086ef6bf35e1c360af522e3bc0e19fa6184b70

URL

• http://investigation04.session-out.com/fbd901_harassment/doc.rtf
• https://reports.dgps-govtpk.com/63645534-case/doc.rtf
• https://salary-cutting.session-out.com/37656199_notice/doc.rtf
• https://mailarmylk.mods.email/Ltr86-ef2265ef
• https://moitt-gov-pk.fia-gov.net/643705null
• https://mofa-gov-sa.direct888.net/015094_consulategz
• https://moitt-gov-pk.fia-gov.net/720705null
• https://heatwave.paknavy.store/pn/510426/doc.rtf
• https://mora.pdfadobe.com/d8149d32/mora/doc.rtf

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before attackers exploit them.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.