The elusive, India-based superior persistent menace (APT) group SideWinder has unleashed a brand new flurry of assaults towards high-profile entities and strategic infrastructure targets that span quite a few international locations in Asia, the Center East, Africa, and even Europe, signaling an growth of its geographic attain. The assaults additionally present the group is utilizing a sophisticated post-exploitation toolkit dubbed “StealerBot” to additional its cyber-espionage exercise, researchers have discovered.
The state-sponsored group — lively since 2012, publicly outed in 2018, and primarily identified for attacking rivals in Pakistan, Afghanistan, China, and Nepal — has demonstrated a widening of its geographic scope within the final six months. The most recent assaults, noticed by researchers at Kaspersky and outlined in a submit on the SecureList weblog, for the primary time revealed a few of SideWinder’s post-compromise actions, which have remained largely unknown regardless of years of research by researchers.
Particularly, SideWinder has recently focused entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates within the assaults. Affected sectors are various, and embody: authorities and navy entities, logistics, infrastructure and telecommunications corporations, monetary establishments, universities, and oil buying and selling corporations. Attackers additionally focused diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.
As for StealerBot, the researchers described the malware — which they consider is the principle post-exploitation instrument utilized by SideWinder — as “a sophisticated modular implant designed particularly for espionage actions.”
SideWinder’s Typical Cyberattack Chain
Although geography and post-exploit techniques differ, SideWinder used its typical assault chain within the newest spate of assaults. The group began with a spear-phishing electronic mail with an attachment, which is often a Microsoft OOXML doc — ie, .docx or .xlsx — or a .zip archive, which in flip accommodates a malicious .lnk file. This file triggers a multistage an infection chain with numerous JavaScript and .NET downloaders, which finally ends with the set up of the StealerBot espionage instrument for additional exercise.
The paperwork used within the spear-phishing a part of the marketing campaign usually comprise data obtained from public web sites, “which is used to lure the sufferer into opening the file and believing it to be official,” Kaspersky lead safety researchers Giampaolo Dedola and Vasily Berdnikov wrote within the submit. On this case, a number of the electronic mail lures included public images, photographs, and references to diplomatic and different exercise that may be of curiosity to the supposed goal.
All of the paperwork within the assaults use the distant template injection approach to obtain an .rtf file that’s saved on a distant server managed by the attackers. These recordsdata are particularly crafted to use CVE-2017-11882, a 7-year-old reminiscence corruption vulnerability in Microsoft Workplace software program, to obtain additional shellcode and malware that makes use of numerous methods to keep away from sandboxes and complicate evaluation, the researchers stated. The last word goal of the malware is to extricate knowledge from contaminated techniques and conduct cyberespionage.
New StealerBot Modular Malware
StealerBot, so-named by the attacker, is a modular implant developed with .NET to carry out espionage actions. Quite than loading the malware’s parts on the filesystem of the contaminated machine, as is typical, the assault chain noticed by the researchers masses them into reminiscence by one of many quite a few modules of the malware, which on this case acts as a backdoor loader that attackers dubbed “ModuleInstaller.”
That module is a downloader that deploys the Trojan that SideWinder makes use of to keep up a foothold on compromised machines. It is a instrument beforehand wielded by the group and noticed by Kaspersky, however not unveiled publicly till now, the researchers famous.
The attackers designed ModuleInstaller to drop no less than 4 recordsdata: a official and signed software used to sideload a malicious library; a .config manifest embedded in this system as a useful resource and required by the following stage to correctly load extra modules; a malicious library; and an encrypted payload. “We noticed numerous mixtures of the dropped recordsdata,” the researchers famous.
One other module, known as the “Orchestrator,” is the principle element of the malware that communicates with SideWinder command-and-control (C2) and executes and manages the opposite malware plugins. All advised, StealerBot contains numerous modules for: putting in extra malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, stealing recordsdata, phishing Home windows credentials, and escalating privileges by bypassing person account management (UAC), amongst different actions.
Largely Underestimated Attackers
SideWinder lengthy has been perceived as a low-skilled menace group resulting from its use of public exploits and distant entry Trojans (RATs), in addition to malicious .lnk recordsdata and scripts as an infection vectors, in accordance with Kaspersky. Nevertheless, they shouldn’t be underestimated by defenders, as “their true capabilities solely grow to be obvious whenever you rigorously study the main points of their operations,” the researchers wrote.
As the brand new wave of assaults exhibits “a big growth of the group’s actions,” those that could also be focused needs to be on alert and conscious of the menace posed by the group, they stated.
To assist defenders acknowledge the presence of SideWinder and its instrument StealerBot on their networks, the researchers included a complete record of indicators of compromise (IoCs) for numerous levels of the assault of their submit.
The IoCs embody references to malicious paperwork, and .rtf and .lnk recordsdata, in addition to particular IoCs to numerous modules of StealerBot. An extended record of malicious domains and IPs related to the assaults is also included within the submit.