A sophisticated persistent menace (APT) actor with suspected ties to India has sprung forth with a flurry of assaults in opposition to high-profile entities and strategic infrastructures within the Center East and Africa.
The exercise has been attributed to a bunch tracked as SideWinder, which is also referred to as APT-C-17, Child Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.
“The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations,” Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov mentioned.
Targets of the assaults embrace authorities and navy entities, logistics, infrastructure and telecommunications firms, monetary establishments, universities, and oil buying and selling firms situated in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the U.A.E.
SideWinder has additionally been noticed setting its sights on diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.
Essentially the most important side of the latest marketing campaign is the usage of a multi-stage an infection chain to ship a beforehand unknown post-exploitation toolkit known as StealerBot.
All of it commences with a spear-phishing electronic mail with an attachment – both a ZIP archive containing a Home windows shortcut (LNK) file or a Microsoft Workplace doc – that, in flip, executes a collection of intermediate JavaScript and .NET downloaders to in the end deploy the StealerBot malware.
The paperwork depend on the tried-and-tested strategy of distant template injection to obtain an RTF file that’s saved on an adversary-controlled distant server. The RTF file, for its half, triggers an exploit for CVE-2017-11882, to execute JavaScript code that is accountable for operating further JavaScript code hosted on mofa-gov-sa.direct888[.]web.
However, the LNK file employs the mshta.exe utility, a Home windows-native binary designed to execute Microsoft HTML Software (HTA) recordsdata, to run the identical JavaScript code hosted on a malicious web site managed by the attacker.
The JavaScript malware serves to extract an embedded Base64-encoded string, a .NET library named “App.dll” that collects system info and capabilities as a downloader for a second .NET payload from a server (“ModuleInstaller.dll”).
ModuleInstaller can also be a downloader, however one which’s geared up to take care of persistence on the host, execute a backdoor loader module, and retrieve next-stage parts. However in an attention-grabbing twist, the way through which they’re run is set by what endpoint safety resolution is put in on the host.
“The Bbckdoor loader module has been observed since 2020,” the researchers mentioned, declaring its potential to evade detection and keep away from operating in sandboxed environments. “It has remained almost the same over the years.”
“It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension.”
The top aim of the assaults is to drop StealerBot by way of the Backdoor loader module. Described as a .NET-based “advanced modular implant,” it’s particularly geared to facilitate espionage actions by fetching a number of plugins to –
- Set up further malware utilizing a C++ downloader
- Seize screenshots
- Log keystrokes
- Steal passwords from browsers
- Intercept RDP credentials
- Steal recordsdata
- Begin reverse shell
- Phish Home windows credentials, and
- Escalate privileges bypassing Consumer Account Management (UAC)
“The implant consists of different modules loaded by the main ‘Orchestrator,’ which is responsible for communicating with the [command-and-control] and executing and managing the plugins,” the researchers mentioned. “The Orchestrator is usually loaded by the backdoor loader module.”
Kaspersky mentioned it detected two installer parts – named InstallerPayload and InstallerPayload_NET – that do not characteristic as a part of the assault chain, however are used to put in StealerBot to possible replace to a brand new model or infect one other consumer.
The growth of SideWinder’s geographic attain and its use of a brand new refined toolkit comes as cybersecurity firm Cyfirma detailed new infrastructure operating the Mythic post-exploitation framework and linked to Clear Tribe (aka APT36), a menace actor believed to be of Pakistani origin.
“The group is distributing malicious Linux desktop entry files disguised as PDFs,” it mentioned. “These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and evading detection.”
“APT36 is increasingly targeting Linux environments due to their widespread use in Indian government sectors, particularly with the Debian-based BOSS OS and the introduction of Maya OS.”
