The infection chains are recognized for including malware-rigged documents that use a remote code vulnerability in Microsoft Office’s Equation Editor component (CVE-2017-11882) to deliver malicious payloads to compromised devices. SideWinder’s toolset also includes advanced obfuscation techniques, encryption with unique keys for each malicious file, multi-layer malware, and the splitting of Command and Control (C2) infrastructure strings into separate malware components. The three-stage infection sequence starts with rogue documents dumping an HTML Application (HTA) payload, which then loads a.NET-based module to install a second stage HTA component designed to deploy a.NET-based installer. In the following stage, this installer is in charge of establishing persistence on the host and loading the final backdoor into memory. The implant can also capture files of interest as well as system data, among others. Four hundred different domains and subdomains were used by threat actors over the last two years. The URLs for C2 domains are divided into two parts, the first of which is provided in the.NET installer and the second of which is encrypted inside the second stage HTA module, adding an extra layer of stealth. “This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques,” stated Kaspersky’s cybersecurity expert.

https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html