1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin

  /     /     /  
Publicated : 23/11/2024   Category : security


1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin


Researcher to reveal fresh details at Black Hat Asia on a tenacious cyber-espionage group attacking specific military, law enforcement, aviation, and other entities in Central and South Asia.



Its one of the more prolific yet lesser-known nation-state hacking groups in the world, and its not out of China or Russia. The so-called SideWinder (aka Rattlesnake or T-APT4) group has been on a tear over the past two years, launching more than 1,000 targeted attacks.
Noushin Shabab, senior security researcher with Kaspersky, has been tracking SideWinder since 2017 and will share her latest findings on this cyber-espionage team at Black Hat Europe in Singapore this month.
They have been very persistent in their attacks in terms of targeting specific victims over and over, with new malware and newly registered domains, Shabab says. So even if the target has suspected that a previous attempt had malicious intentions — like with spear-phishing emails and so on — the threat actor has tried to use a new infection vector and use a new domain to try their luck, over and over.
SideWinder also has upped its game when it comes to hiding its tracks and deflecting detection — as well as in thwarting researchers. The threat group now executes a more complex attack chain that uses multiple layers of malware, additional obfuscation, and memory-resident malware that leaves no evidence of its presence, she says. Although other well-oiled and advanced threat groups also continue to add new methods of camouflaging their activity, Noushin says, SideWinder stands apart for her with its dogged persistence and high volume of activity.
I think what truly makes them stand out among other APT [advanced persistent threat] actors is the large toolset they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure, she says. I havent seen 1,000 attacks from a single APT from another group thus far, she adds. 
Shabab has tracked SideWinders activity since April 2020, but Kaspersky first reported on SideWinder in January 2018 and believes its been around since at least 2012. The security firm traditionally avoids attributing threat actors to specific nation-states, but Shabab says her firms initial research into SideWinder showed the group is tied to an India-based company that was advertising malware analysis and penetration testing services on its website. 
We found some context between that company and that threat actor, she says. However, she notes that over the years, [SideWinder] attribution became more challenging.
SideWinder mostly targets military and law enforcement entities in Central and South Asia, but its also hit foreign affairs, defense, aviation, IT, and legal firms in Asia. Pakistan and Sri Lanka are its main focus of late, according to Kasperskys research, and its recently targeted government and related organizations in Afghanistan, China, and Nepal, according to previous
research from Trend Micro
and
from Anomaly
.
Kaspersky also follows another cyber-spying threat group, dubbed Sidecopy, that copies SideWinders tactics and techniques on occasion, often pivoting to the newest infection vector SideWinder has adopted. Unlike some other security research teams, Kaspersky considers Sidecopy separate from SideWinder. Its seen Sidecopy target organizations mainly in India and Afghanistan.
No Zero-Days Required
SideWinders main initial attack vector consists of sending convincing-looking spear-phishing emails with malware-rigged document attachments to its carefully curated targets. The hacking group doesnt deploy any zero-day exploits, but instead mostly weaponizes known Windows or Android vulnerabilities, including old Microsoft Office flaws, according to Shabab.
That said, in January 2020, researchers at Trend Micro revealed that they had
discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability
that affected hundreds of millions of Android phones when it was first published (
CVE-2019-2215
).
SideWinder often switches gears if its first attempts dont infect its victims. Shabab has seen the APT abuse the Windows file shortcut feature to mask the malware, for example.
The interesting thing is we have seen them be quite careful and innovative in the way they approach victims, she says. 
On at least two occasions, she says, SideWinder sent empty document attachments with the spear-phishing emails. The document had no content, but a malicious payload was inside. After a short while, they send a letter [in an email] that apologizes for the empty document they had sent earlier. But that second email had a different malicious payload inside the document, she says. They were trying everything to make sure they get a foothold into the victims system.
SideWinder also swaps domains regularly for its command-and-control servers as well as for its download servers. Thats mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well.
Kasperskys research shows that SideWinder mainly targets Windows for now, but it did find some malicious mobile apps last year when the firm investigated the groups infrastructure domains and servers. 
But looking at their large attack infrastructure and large malware family sets they have for Windows, it doesnt seem mobile is their main focus, Shabab says.
Black Hat Talk
Shabab will share technical details in her session at Black Hat Asia next week, entitled
SideWinder Uncoils to Strike
. Those will include how the hacking team has evolved its obfuscation methods for hiding its malware, and folding it into multistage infection chains. She says that investigating SideWinders attack methods required her to decrypt several layers of encryption and thousands of obfuscation scripts. And for each one, the decryption key was different, she says.
Shabab plans to provide recommendations on how to use SideWinder indicators of compromise along with specific security defense advice on defending against this APT group. Because it mostly achieves initial infections via known vulns and legitimate features in Windows (such as Microsoft Office), patching and the usual best security practices are key. That means hardening applications with whitelisting or firewall rules, which can help halt additional malicious malware modules from SideWinders servers, she says.
Its not very difficult to stop the attack initially, she says. But if SideWinder gets past that first hurdle and infects the machine in the first phase of the attack, eradicating the attack gets exponentially harder. She adds: They have lots of techniques to stay undetected longer and stay persistent.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin