In June, researchers discovered that the SideWinder APT group launched over 1,000 attacks since April 2020. Now, the threat actor is back in the news as it attacked another Pakistani entity, found Zscaler ThreatLabz.
Diving into details
SideWinder targeted the official website of the National Electric Power Regulatory Authority (NEPRA), Pakistan, to drop the new WarHawk backdoor.
- Multiple malicious modules in WarHawk deliver Cobalt Strike, including new TTPs such as KernelCallBackTable injection and checking the Pakistan Standard Time zone for successful operations.
- The backdoor impersonates legitimate apps to trick unsuspecting users into executing the payload.
Why this matters
- Researchers attributed the campaign to SideWinder APT as the attackers reused network infrastructure, which has been used by the group in previous cyberespionage campaigns against Pakistan.
- The intrusions are crucial since along with their frequency, they are increasingly persistent. SideWinder has been leveraging a huge arsenal of newly-developed and obfuscated components.
Modus operandi
SideWinder APT group uses a weaponized ISO file hosted on NEPRA’s website to put a kill-chain into motion that deploys WarHawk.
- WarHawk usually pretends to be Realtek HD Audio Manager and ASUS Update Setup apps. Once executed, the system metadata is exfiltrated to a hard-coded remote server, while receiving further payloads from the URL.
- Once all anti-analysis checks are passed, Cobalt Strike leverages the KernelCallBackTable injection technique to inject shellcode into a notepad.exe process.
- Ultimately, the shellcode decrypts and deploys Cobalt Strike Beacon to establish a connection with the C2.
The bottom line
SideWinder APT has been constantly evolving and adding new malware and TTPs to its arsenal to conduct successful cyberespionage campaigns against its target of choice, usually Pakistani military entities. Furthermore, this threat actor possesses a high degree of sophistication using multiple attack vectors. Hence, organizations in the sensitive regions of the target must keep their software updated and implement proper threat intelligence solutions for proactive defense against the threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5af6_shutterstock_1935675589.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7dfa_shutterstock_2010567164.jpg)
