(Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|---|
| mail-mofagovpk.servehalflife.com | 2023-10-16 |
| mail-mofagovpk.serveirc.com | 2023-10-16 |
| mail-pmogovpk.servehttp.com | 2023-10-16 |
| ntc-govpk.servehttp.com | 2023-10-16 |
| ntdc-govpk.viewdns.net | 2023-10-16 |
| sharepakistanmofa.servehttp.com | 2023-10-16 |
| vibe-ptclnetpk.servehalflife.com | 2023-10-16 |
| complaints-ntcgovpk.viewdns.net | 2023-10-16 |
| mail-mofagovpk.viewdns.net | 2023-10-16 |
| cloud-ptclnetpk.servehttp.com | 2023-10-16 |
| URL | Timestamp |
|---|---|
| https://mtss.bol-south.org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file.rtf | 2023-03-10 |
2023-05-17 by Nikita Rostovtsev from Group-IB
2022-07-20 by Red Raindrops Team from Qianxin
2022-04-14 by DCSO CyTec from Medium (@DCSO_CyTec)
2021-03-04 by Malpedia from Malpedia
2021-01-13 by Tom Hegel from AlienVault
2020-12-09 by AlienVault from AlienVault OTX
2020-12-09 by Joseph C Chen from Trend Micro
2020-10-26 by Threat Intelligence Center from Qianxin
2020-05-28 by Threat Intelligence Center from Qianxin
2019-02-26 by Tencent Yujian Threat Intelligence Center from Tencent
2018-07-16 by Sébastien Larinier from Medium Sebdraven
2018-05-23 by Tencent Mimi Threat Intelligence Center from Tencent
Actor: SideWinder, Rattlesnake
Names: SideWinder, Rattlesnake, Razor Tiger, T-APT-04, APT-C-17, Hardcore Nationalist, HN2, APT-Q-39, BabyElephant, GroupA21
Country: India
Motivation: Information theft and espionage
First-seen: 2012
Description: (Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
Observed-sectors: Defense
Observed-sectors: Government
Observed-countries: Afghanistan
Observed-countries: Bangladesh
Observed-countries: Bhutan
Observed-countries: China
Observed-countries: Myanmar
Observed-countries: Nepal
Observed-countries: Pakistan
Observed-countries: Qatar
Observed-countries: Sri Lanka
Observed-countries: Turkey
Tools: BroStealer
Tools: callCam
Tools: Capriccio RAT
Operations: 2019-03
Operations: First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
Operations: 2021-06
Operations: Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021 https://www.group-ib.com/resources/research-hub/sidewinder-apt/
Operations: 2022-03
Operations: SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to VT in the middle of March. https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
Operations: 2022-05
Operations: Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder https://blog.group-ib.com/sidewinder-antibot
Operations: 2022-11
Operations: SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
Information: https://securelist.com/apt-trends-report-q1-2018/85280/
Information: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf
Information: https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c
Information: https://s.tencent.com/research/report/479.html
Information: https://s.tencent.com/research/report/659.html
Information: https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
Information: https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html
Information: https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf
Information: https://www.group-ib.com/blog/hunting-sidewinder/
Mitre-attack: https://attack.mitre.org/groups/G0121/
Last-card-change: 2023-06-21
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1598.002 PHISHING FOR INFORMATION : SPEARPHISHING ATTACHMENT sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites. T1598.003 PHISHING FOR INFORMATION : SPEARPHISHING LINK sidewinder has sent e-mails with malicious links to credential harvesting websites. | T1566.001 PHISHING : SPEARPHISHING ATTACHMENT sidewinder has sent e-mails with malicious attachments often crafted for specific targets. T1566.002 PHISHING : SPEARPHISHING LINK sidewinder has sent e-mails with malicious links often crafted for specific targets. | T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL sidewinder has used powershell to drop and execute malware loaders. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC sidewinder has used vbscript to drop and execute malware loaders. T1059.007 COMMAND AND SCRIPTING INTERPRETER : JAVASCRIPT sidewinder has used javascript to drop and execute malware loaders. T1203 EXPLOITATION FOR CLIENT EXECUTION sidewinder has exploited vulnerabilities to gain execution including cve-2017-11882 and cve-2020-0674. T1559.002 INTER-PROCESS COMMUNICATION : DYNAMIC DATA EXCHANGE sidewinder has used the activexobject utility to create ole objects to obtain execution through internet explorer. T1204.001 USER EXECUTION : MALICIOUS LINK sidewinder has lured targets to click on malicious links to gain execution in the target environment. T1204.002 USER EXECUTION : MALICIOUS FILE sidewinder has lured targets to click on malicious files to gain execution in the target environment. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER sidewinder has added paths to executables in the registry to establish persistence. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING sidewinder has used dll side-loading to drop and execute malicious payloads including the hijacking of the legitimate windows application file rekeywiz.exe. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER sidewinder has added paths to executables in the registry to establish persistence. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING sidewinder has used dll side-loading to drop and execute malicious payloads including the hijacking of the legitimate windows application file rekeywiz.exe. | T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING sidewinder has used dll side-loading to drop and execute malicious payloads including the hijacking of the legitimate windows application file rekeywiz.exe. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate windows executable. T1027 OBFUSCATED FILES OR INFORMATION sidewinder has used base64 encoding and ecdh-p256 encryption for payloads. T1027.010 OBFUSCATED FILES OR INFORMATION : COMMAND OBFUSCATION sidewinder has used base64 encoding for scripts. T1218.005 SYSTEM BINARY PROXY EXECUTION : MSHTA sidewinder has used mshta.exe to execute malicious payloads. | T1083 FILE AND DIRECTORY DISCOVERY sidewinder has used malware to collect information on files and directories. T1057 PROCESS DISCOVERY sidewinder has used tools to identify running processes on the victim's machine. T1518 SOFTWARE DISCOVERY sidewinder has used tools to enumerate software installed on an infected host. T1518.001 SOFTWARE DISCOVERY : SECURITY SOFTWARE DISCOVERY sidewinder has used the windows service winmgmts:\.\root\securitycenter2 to check installed antivirus products. T1082 SYSTEM INFORMATION DISCOVERY sidewinder has used tools to collect the computer name, os version, installed hotfixes, as well as information regarding the memory and processor on a compromised host. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY sidewinder has used malware to collect information on network interfaces, including the mac address. T1033 SYSTEM OWNER/USER DISCOVERY sidewinder has used tools to identify the user of a compromised host. | T1119 AUTOMATED COLLECTION sidewinder has used tools to automatically collect system and network configuration information. T1074.001 DATA STAGED : LOCAL DATA STAGING sidewinder has collected stolen files in a temporary folder in preparation for exfiltration. | T1105 INGRESS TOOL TRANSFER sidewinder has used lnk files to download remote files to the victim's network. | T1020 AUTOMATED EXFILTRATION sidewinder has configured tools to automatically send collected files to attacker controlled servers. |