The aggressive SideWinder APT group has launched more than 1,000 attacks since April 2020. Further, the group performs high frequency and persistence types of attacks.

About the attacks 

Researchers from Kaspersky have spotted and examined the recent malicious activities of the group.
  • In the attacks, SideWinder has targeted multiple industries such as scientific and defense organizations, departments of foreign affairs, the IT industry, legal firms, and aviation.
  • The victims are located in the Middle East, Europe, Asia, and Africa. 
  • Additionally, the group has targeted Central Asian countries, mostly Pakistan, Sri Lanka, Nepal, and Bangladesh.

Technical details

The threat group is maintaining a large C2 infrastructure comprising more than 400 domains and subdomains that were used to host malicious payloads and manage them.
  • The first stage domains are used to host the first stage malware that spread via spear-phishing. They further receive information gathered by first-stage malware and host second-stage payloads.
  • Moreover, to evade detection, the group uses obfuscation routines, multi-layer malware, encryption with unique keys for each malicious file, splitting infrastructure strings into different malware components, and memory-resident malware.

More about C2 communications

Researchers have detailed that C2 domains used in the final stage of the attacks and URLs used for C2 communications are split into two parts:
  • The Installer module includes the first part of the URL, which is a C2 server domain name in encrypted form.
  • The second half of the URL is encrypted inside the second stage HTA module.

Conclusion

SideWinder shows a high level of sophistication by using different obfuscation techniques. The recent report provides more details regarding the threat actor’s attacks TTPs. Further, the report includes IOCs that could help organizations update their defenses for better detection and protection against such threats.
Cyware Publisher

Publisher

Cyware