SideWinder APT Attacks Regional Targets in New Campaign

Written by

Security researchers have discovered dozens of new regional targets and new cyber-attack tools linked to Indian APT group SideWinder.

The suspected state-sponsored group – also known as Rattlesnake, Hardcore Nationalist (HN2) and T-APT4 – comes under the spotlight in a new report from Group-IB, Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021.

During the six-month period, the threat intelligence firm discovered SideWinder threat actors attempted to attack 61 government, military, law enforcement and other targets in Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka.

It also linked the group to a 2020 attack on the government of the Maldives.

SideWinder’s threat vector of choice remains spear-phishing emails, which it fired at these targets during the period. Two campaigns featured emails in which the APT group spoofed a cryptocurrency firm, Group-IB said.

If a victim clicks on a malicious link in the phishing email, it will subsequently download a malicious document, an LNK file or a malicious payload. The LNK file downloads an HTA file, which in turn downloads the payload. The payload itself could be a reverse shell, a remote access Trojan (RAT) or an information stealer, the report claimed.

Group-IB discovered two new home-grown tools used by SideWinder during the campaign: a RAT dubbed SideWinder.RAT.b and an info-stealer it called SideWinder.StealerPy.

The latter is designed to harvest Google Chrome browsing history, credentials saved in the browser, the list of folders in the directory, meta information and the contents of docx, pdf, txt files, and more.

Both custom tools use Telegram to communicate with compromised target machines rather than traditional C&C servers, as it’s more convenient to do so, Group-IB said.

After analyzing the network infrastructure used by SideWinder, the vendor claimed it was probably the same entity as the BabyElephant APT group.

“It is not uncommon for APT groups to borrow tools from each other, which often leads to mistakes in attribution,” said Dmitry Kupin, Group-IB senior malware analyst.

“As such, we discovered that some indicators of compromise related to another APT group, Donot, were wrongly attributed to SideWinder. Nonetheless, we found additional evidence confirming that Patchwork (Hangover), Donot and SideWinder sometimes borrow tools and malicious documents from each other and adjust them for their needs.”

Group-IB was unable to say how many of SideWinder's phishing attempts were successful.

What’s hot on Infosecurity Magazine?