SideWinder, also known as Rattlesnake, is an APT group that mainly targets Southeast Asian countries, including Pakistan and China. Recently, the group was found using a server to deliver a malicious LNK file hosting credential phishing pages.
What has been discovered?
SideWinder was observed using credential phishing pages copied from their victims’ webmail login pages and modified for phishing.
The group has been targeting government and military units, mostly in Nepal and Afghanistan using phishing.
After collecting credentials, the phishing pages redirect victims to other documents or news pages. These pages, along with documents, have topics related to either COVID-19 or territory disputes between Pakistan, Nepal, India, and China.
In addition, multiple Android APK files have been discovered on their phishing server.
One of the applications is OpinionPoll, which is a survey app for finding opinions concerning the Nepal-India political map dispute.
One of the most common infection vectors of SideWinder is the use of malicious documents. These RTF document files contain an exploit of the CVE-2017-11882 vulnerability.
Recent attacks
Recently, a pro-India disinformation campaign was discovered using 750 fake media outlets to serve Indian interests.
Last month, a hacker-for-hire was found targeting victims in South Asia with a cyberespionage campaign.
Conclusion
The SideWinder APT group is very active and uses current topics as a lure to target SouthAsia. Therefore, experts recommend staying alert while receiving an email from an unknown sender, using a reliable anti-malware solution, and avoiding clicking on links or downloading files that appear suspicious.