Maritime and logistics firms in South and Southeast Asia, the Center East, and Africa have turn into the goal of a complicated persistent menace (APT) group dubbed SideWinder.
The assaults, noticed by Kaspersky in 2024, unfold throughout Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Different targets of curiosity embrace nuclear energy crops and nuclear vitality infrastructure in South Asia and Africa, in addition to telecommunication, consulting, IT service firms, actual property companies, and inns.
In what seems to be a wider growth of its victimology footprint, SideWinder has additionally focused diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The focusing on of India is important because the menace actor was beforehand suspected to be of Indian origin.
“It’s value noting that SideWinder continuously works to enhance its toolsets, keep forward of safety software program detections, prolong persistence on compromised networks, and conceal its presence on contaminated techniques,” researchers Giampaolo Dedola and Vasily Berdnikov stated, describing it as a “extremely superior and harmful adversary.”
SideWinder was beforehand the topic of an intensive evaluation by the Russian cybersecurity firm in October 2024, documenting the menace actor’s use of a modular post-exploitation toolkit known as StealerBot to seize a variety of delicate info from compromised hosts. The hacking group’s focusing on of the maritime sector was additionally highlighted by BlackBerry in July 2024.
The newest assault chains align with what has been reported earlier than, with the spear-phishing emails performing as a conduit to ship booby-trapped paperwork that leveraged a recognized safety vulnerability in Microsoft Workplace Equation Editor (CVE-2017-11882) to be able to activate a multi-stage sequence, which in flip, employs a .NET downloader named ModuleInstaller to finally launch StealerBot.
Kaspersky stated among the lure paperwork are associated to nuclear energy crops and nuclear vitality companies, whereas others included content material referencing maritime infrastructures and varied port authorities.
“They’re continuously monitoring detections of their toolset by safety options,” Kaspersky stated. “As soon as their instruments are recognized, they reply by producing a brand new and modified model of the malware, typically in below 5 hours.”
“If behavioral detections happen, SideWinder tries to vary the strategies used to keep up persistence and cargo elements. Moreover, they modify the names and paths of their malicious recordsdata.”