SideWinder APT Spotted Targeting Crypto
[This article was updated on 2/17/2023 with corrections to a malware variant name as well as airdrop details and how SideWinder is using cryptocurrency lures]
Researchers have linked the slick SideWinder APT to two malicious campaigns – one in 2020 and one in 2021 – adding more volume to an attack campaign attributed to the prolific threat actor in recent years and showing just how extensive the arsenal of tactics and tools really is. is.
A report published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known attack on the Maldivian government in 2020, in addition to a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.
The findings show that the group is casting a far wider net than previously thought using a variety of tools, including previously unidentified remote access trojans (RATs), backdoors, reverse shells and stagers. Researchers’ examination of these attacks also links the group to other known APTs, including Baby Elephant — which may actually be SideWinder itself — and the Donot APT, they said.
The report also sheds more light on the geographically dispersed nature of the group’s operations, with researchers uncovering IP addresses controlled by SideWinder in the Netherlands, Germany, France, Moldova and Russia, the researchers said.
Active since 2012, SideWinder was discovered by Kaspersky in the first quarter of 2018 and is believed to primarily target Pakistani military infrastructure. However, this latest report shows that the target audience of the group – believed to be associated with Indian espionage interests – is far wider than that.
“SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for approximately 10 years,” wrote Dmitry Kupin, a senior malware analyst in Group-IB’s Threat Intelligence team, in the report.
Specifically, researchers identified more than 60 targets – including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations and more – for the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka.
Sophisticated phishing resources
The phishing attacks – where SideWinder impersonates known devices in an attempt to lure victims – also demonstrated the extent of the phishing infrastructure, the researchers said. This makes sense, since spear-phishing has long been the group’s primary access method, they said.
The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.
In the phishing attacks between June 2021 and November 2021, the group impersonated both Myanmar’s central bank using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as the Nitro Network.
The campaigns are also notable because they demonstrate SideWinder’s interest in the crypto industry. The attackers attempted to steal user credentials by impersonating an airdrop of NCASH crypto, the researchers said. NCASH is used as a means of payment in the Nucleus Vision ecosystem, which stores in India have been using, they said.
In particular, researchers uncovered a phishing link related to a cryptocurrency airdrop, they said. When users visited the link (http://5[.]2[.]79[.]135/project/project/index.html) they were asked to register to participate in an airdrop and receive tokens, although it was not specified which ones. By pressing the “Send details” button, the user activates a script login.php, which researchers believe the group uses to further develop this attack vector.
Tools and Telegram
Group-IB also discovered a number of custom tools used by SideWinder, only some of which had been publicly described before, developed in various programming languages including C++, C#, Go, Python (compiled script) and VBScript.
Part of that arsenal is the group’s newest custom tool, SideWinder.StealerPy, an info stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.
The script can extract a victim’s browsing history from Google Chrome, credentials stored in the browser, the list of folders in the directory, as well as meta information and the contents of .docx, .pdf and .txt files. It is a key part of the group’s notoriety for conducting “hundreds of espionage operations in a short period of time,” Kupin wrote.
Another and perhaps the “most interesting finding” regarding SideWinder’s tool arsenal were RAT samples that used the Telegram messaging app as a conduit to receive the results of malware commands and thereby retrieve data stolen from compromised systems, Kupin noted.
This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.
How to ward off SideWinder
The report includes a large selection of indicators of compromise as well as URLs associated with SideWinder attacks.
Because, like many other APT groups, SideWinder relies on targeted spear-phishing as the initial attack vector, it is important for organizations “to deploy enterprise email protection solutions capable of detonating malicious attachments in an isolated virtual environment,” says Kupin to Dark Reading. Companies should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.
Organizations at risk from SideWinder should also continuously monitor network activity within the organization’s perimeter using managed extended detection and response (MXDR) solutions that are regularly updated with new network indicators and rules, says Kupin.