SideWinder, an upgraded nation-state actor, targets ports and maritime facilities in the Indian Ocean and Mediterranean Sea through a new campaign.
Phishing emails featuring specific logos and themes indicate a focus on Pakistan, Egypt, and Sri Lanka initially, expanding to Bangladesh, Myanmar, Nepal, and the Maldives in subsequent phases.
An adversary may weaponize and deliver a payload, using obfuscation and process hollowing to evade defenses, and then execute the payload and establish command-and-control using DNS tunneling.
To maintain persistence, they create scheduled tasks and implant backdoors. Discovery techniques like account discovery are employed to understand the network environment, which helps in lateral movement and data exfiltration.
They employ weaponized documents containing obfuscated JavaScript to target maritime organizations in the Mediterranean and Indian Oceans, which serve as the primary attack vector and are likely delivered through phishing emails using dedicated domains.
The campaign demonstrates a focused approach, leveraging sophisticated techniques to compromise network infrastructure within the targeted sector.
The SideWinder APT group employs sophisticated social engineering tactics to deliver malicious documents disguised as legitimate official communications.
By crafting documents with emotionally charged content related to target organizations, such as port infrastructure or employee terminations, they manipulate victims into opening attachments and compromising their systems.
These “visual bait” documents serve as a distraction, preventing victims from noticing early indicators of malware infection while the threat actor establishes a foothold within the target environment.
Threat actors employed a multi-stage phishing attack leveraging social engineering and a known Microsoft Office vulnerability (CVE-2017-0199). Malicious Word documents, disguised as urgent notifications, were distributed via email and designed to induce panic and immediate action from recipients.
Upon opening, these documents downloaded subsequent malware stages from a compromised website, exploiting outdated or unpatched systems.
The SideWinder campaign uses RTF documents with the CVE-2017-11882 vulnerability to deliver shellcode, which checks the processor type to avoid virtual environments and then decrypts a small JavaScript.
This JavaScript fetches the next stage payload, another JavaScript, from a Tor node-hosted C2 server, while the second stage utilizes various domains with similar naming structures for obfuscation.
According to the BlackBerry Threat Research and Intelligence team, the threat actor employs a two-stage targeting strategy. Initial targeting focuses on Pakistan, Egypt, and Sri Lanka, leveraging domain names and content aligned with these regions.
Subsequent targeting expands to Bangladesh, Myanmar, Nepal, and the Maldives through subdomain registration, which suggests a coordinated campaign aiming to compromise government and military entities within these countries, potentially for intelligence gathering or other malicious purposes.
