SideWinder APT Spotted Targeting Crypto

The nation-state threat group has been attacking a wider range of victims and regions than previously thought.

[This article was updated on 2/17/2023 with corrections to a malware variant name as well as airdrop details and how SideWinder is using cryptocurrency lures]
Researchers have linked the slippery SideWinder APT to two malicious campaigns — one in 2020 and one in 2021 — that add more volume
to an attack spree
attributed to the prolific threat actor over the past several years and demonstrate how extensive its arsenal of tactics and tools really is.
A
report
published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known 2020 attack on the Maldivian government, as well as a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.
The findings show the group casting a far wider net than previously thought using a trove of tools, including previously unidentified remote access Trojans (RATs), backdoors, reverse shells, and stagers. Researchers investigation of these attacks also links the group to other known APTs, including Baby Elephant — which may in fact be SideWinder itself — and Donot APT, they said.
The report also sheds more light on the geographically dispersed nature of the groups operations, with researchers uncovering IP addresses controlled by SideWinder located in the Netherlands, Germany, France, Moldova, and Russia, the researchers said.
SideWinder,
active since 2012, was
detected by Kaspersky
in the first quarter of 2018 and thought to primarily target Pakistani military infrastructure. However, this latest report shows that the target range of the group — widely believed to be
associated with Indian espionage
interests — is far broader than that.
SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years, Dmitry Kupin, a senior malware analyst on Group-IBs Threat Intelligence team, wrote in the report.
Specifically, researchers identified more than 60 targets — including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations, and more — of the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
The phishing attacks — in which SideWinder impersonates known entities in an attempt to lure victims — also demonstrated how vast its phishing infrastructure is, the researchers said. This makes sense, as spear-phishing has long been the groups initial-access method, they said.
The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.
In the phishing attacks between June 2021 and November 2021, the group impersonated both the Central Bank of Myanmar, using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as Nitro Network.
The campaigns also are notable because they demonstrate SideWinders interest in the crypto industry. The attackers attempted to steal user credentials by imitating an airdrop of NCASH crypto, the researchers said. NCASH is used as a payment means in the Nucleus Vision ecosystem, which retail stores in India have been using, they said.
Specifically, researchers uncovered a phishing link related to a cryptocurrency airdrop, they said. When users visited the link (http://5[.]2[.]79[.]135/project/project/index.html) they were asked to register in order to participate in an airdrop and receive tokens, though it was not specified which ones. By pressing the Submit details button, the user activates a script login.php, which researchers believe the group is using to further develop this attack vector.
Group-IB also discovered a trove of custom tools used by SideWinder, only some of which had been described publicly before, developed in various programming languages including C++, C#, Go, Python (compiled script), and VBScript.
Part of that arsenal is the groups newest custom tool, SideWinder.StealerPy, an info-stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.
The script can extract a victims browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of .docx, .pdf, and .txt files. Its a key part of the groups notoriety for conducting hundreds of espionage operations within a short span of time, Kupin wrote.
Another and perhaps the most interesting finding regarding SideWinders tools arsenal were RAT samples that used the Telegram messaging app as a channel for receiving the results of malware commands and thus retrieve data stolen from compromised systems, Kupin noted.
This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.
The report includes a vast array of indicators of compromise as well as URLs associated with SideWinder attacks.
Because like many other APT groups SideWinder relies on targeted spear-phishing as the initial attack vector, its important for organizations to set up business email protection solutions that are capable of detonating malicious attachments in an isolated virtual environment, Kupin tells Dark Reading. Enterprises should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.
Organizations at risk from SideWinder also should continuously monitor network activity within the organizations perimeter by employing managed extended detection and response (MXDR) solutions that are regularly updated with fresh network indicators and rules, Kupin says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SideWinder APT Spotted Targeting Crypto