Since April 2020, the Advanced Persistent Threat (APT) organization SideWinder, also known as Rattlesnake or T-APT-04, has been linked to over 1,000 attacks. The group has been active in Central Asian countries such as Afghanistan, Bangladesh, Nepal, and Pakistan since at least 2012. It has a history of targeting military, defense, aviation, IT sector, and legal institutions.
“Some of the main characteristics of this threat actor that make it stand out among the others are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations,” reads a report from the cybersecurity firm Kaspersky. SideWinder is actively expanding the geography of its targets to additional countries and regions, according to Kaspersky’s APT trends report for Q1 2022. The gang has also been seen using the ongoing Russian-Ukrainian conflict as a lure in its phishing attempts to spread malware and steal sensitive data.
The infection chains are recognized for including malware-rigged documents that use a remote code vulnerability in Microsoft Office’s Equation Editor component (CVE-2017-11882) to deliver malicious payloads to compromised devices. SideWinder’s toolset also includes advanced obfuscation techniques, encryption with unique keys for each malicious file, multi-layer malware, and the splitting of Command and Control (C2) infrastructure strings into separate malware components. The three-stage infection sequence starts with rogue documents dumping an HTML Application (HTA) payload, which then loads a.NET-based module to install a second stage HTA component designed to deploy a.NET-based installer. In the following stage, this installer is in charge of establishing persistence on the host and loading the final backdoor into memory. The implant can also capture files of interest as well as system data, among others. Four hundred different domains and subdomains were used by threat actors over the last two years. The URLs for C2 domains are divided into two parts, the first of which is provided in the.NET installer and the second of which is encrypted inside the second stage HTA module, adding an extra layer of stealth. “This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques,” stated Kaspersky’s cybersecurity expert.