SideWinder, also known as Rattlesnake, is an APT group that mainly targets Southeast Asian countries, including Pakistan and China. Recently, the group was found using a server to deliver a malicious LNK file hosting credential phishing pages.
What has been discovered?
SideWinder was observed using credential phishing pages copied from their victims’ webmail login pages and modified for phishing.
- The group has been targeting government and military units, mostly in Nepal and Afghanistan using phishing.
- After collecting credentials, the phishing pages redirect victims to other documents or news pages. These pages, along with documents, have topics related to either COVID-19 or territory disputes between Pakistan, Nepal, India, and China.
- In addition, multiple Android APK files have been discovered on their phishing server.
- One of the applications is OpinionPoll, which is a survey app for finding opinions concerning the Nepal-India political map dispute.
- One of the most common infection vectors of SideWinder is the use of malicious documents. These RTF document files contain an exploit of the CVE-2017-11882 vulnerability.
- Recently, a pro-India disinformation campaign was discovered using 750 fake media outlets to serve Indian interests.
- Last month, a hacker-for-hire was found targeting victims in South Asia with a cyberespionage campaign.
The SideWinder APT group is very active and uses current topics as a lure to target SouthAsia. Therefore, experts recommend staying alert while receiving an email from an unknown sender, using a reliable anti-malware solution, and avoiding clicking on links or downloading files that appear suspicious.