Analysis Summary

APT group SideWinder, which is based in India, has been increasingly active in attacking high-profile targets and strategic infrastructure across multiple countries in Asia, the Middle East, Africa, and even Europe. This indicates that the group is expanding its geographic reach. Researchers have discovered that the attacks also demonstrate the group's use of a sophisticated post-exploitation toolset known as "StealerBot" to expand its cyber-espionage activities.

The state-sponsored APT group, which has been operating since 2012, came to light publicly in 2018 and is mostly renowned for its attacks on adversaries in China, Pakistan, Afghanistan, and Nepal, has shown signs of expanding its reach over the past six months. After years of research, most of SideWinder's post-compromise actions were unknown. However, the most recent attacks were discovered by researchers and detailed in a blog.

In particular, SideWinder has recently launched cyberattacks against organizations located in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates. A wide range of industries are impacted, including the military and government, financial organizations, universities, logistics, infrastructure and telecommunications firms, and oil trading companies. Additionally, diplomatic missions in Afghanistan, France, China, India, Indonesia, and Morocco were the targets of attackers. Regarding StealerBot, the researchers characterized the malware as a complex modular implant created especially for espionage activities. They consider this to be the primary post-exploitation tool utilized by SideWinder.

In the most recent wave of attacks, SideWinder employed its usual attack chain, despite variations in geography and post-exploit strategies. The spear-phishing email that the group propagated began with an attachment. Typically, the attachment is a Microsoft OOXML document (.docx or .xlsx) or a .zip package that contains a malicious .lnk file. With the help of several JavaScript and .NET downloaders, this program starts a multi-stage infection chain that installs the StealerBot spy tool to continue the infection.

Every document in the attacks downloads a .rtf file from a remote server under the attackers' control using the remote template injection technique. The researchers said that these files are specifically designed to take advantage of CVE-2017-11882, a memory corruption vulnerability in Microsoft Office software that dates back seven years, to download further malware and shellcode that employs a variety of evasive techniques to evade sandboxes and impede analysis. The malware's ultimate goal is to do cyber espionage and retrieve data from compromised systems.

The attacker gave StealerBot its name, which is a modular implant designed with .NET to carry out espionage operations. Unlike the usual approach, which loads the malware's components on the compromised machine's filesystem, the researchers' observed attack chain loads the malware's components into memory through one of its many modules. In this case, the malware functions as a backdoor loader, which the attackers named "ModuleInstaller".

That module functions as a downloader, launching the Trojan that SideWinder uses to stay afloat on infected systems. The researchers pointed out that although the program had been used by the organization in the past and seen by researchers, it had not been made public until recently. ModuleInstaller was created by the attackers to drop at least four files: a malicious library, an encrypted payload, a legitimate and signed application used to sideload a malicious library, and a .config manifest that was embedded into the program as a resource and needed by the subsequent stage to load additional modules.

The malware's primary module, dubbed the "Orchestrator", is responsible for executing and managing the other malware plugins in addition to communicating with SideWinder command-and-control (C2). All in all, StealerBot comes with multiple modules that may be used to execute a variety of tasks, such as installing more malware, taking screenshots, recording keystrokes, obtaining passwords from web browsers, stealing files, phishing Windows credentials, and increasing privileges by getting around user account control (UAC).

Because SideWinder has been using malicious .lnk files and scripts as well as public vulnerabilities and remote access trojans (RATs) as infection vectors, researchers have concluded that SideWinder is a low-skilled threat group. Defenders shouldn't undervalue them, either, because you have to closely investigate the specifics of their activities to truly understand their genuine capabilities. Those who might be targeted should be vigilant and aware of the threat posed by the group, as the recent round of attacks indicates a notable extension of the group's activity.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zerodays.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.