An Advanced Persistent Threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks against Pakistani government entities as part of a campaign launched in late November 2022.
“In this campaign, SideWinder’s Advanced Persistent Threats (APT) group used server-based polymorphism techniques to deliver its next-stage payload,” BlackBerry Research and Intelligence Team issued Monday. technical report.
Another campaign spotted by a Canadian cybersecurity firm in early March 2023 shows that Turkey has also landed in the crosshairs of threat actor collection priorities.
SideWinder has been in the spotlight since at least 2012 and is primarily known to target various Southeast Asian entities located in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.
SideWinder, a suspected Indian government-backed group, has also been tracked under the names APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4.
A typical attack sequence used by attackers uses crafted email lures and DLL sideloading techniques to stay under the radar and deploy malware that can grant attackers remote access to targeted systems. increase.
Over the past year, SideWinder has been associated with cyberattacks targeting the Pakistan Navy War College (PNWC) and Android malware campaigns that harvest sensitive information using rogue phone cleaners and VPN apps uploaded to the Google Play store. was
The latest infection chain documented by BlackBerry reflects research conducted by Chinese cybersecurity firm QiAnXin in December 2022, which uses PNWC lure documents to deploy a lightweight .NET-based backdoor ( App.dll) to retrieve the next stage of malware from the network and execute it. remote server.
What makes this campaign stand out is that the attackers used server-based polymorphism to evade traditional signature-based antivirus (AV) detections and added two different versions of the intermediate RTF file in response. payload may be distributed.
Specifically, the PNWC document uses a method called remote template injection to fetch the RTF file and store malicious code only if the request originates from a user in the Pakistani IP address range.
“It’s important to note that in both cases, only the name and file type of the file ‘file.rtf’ are the same. However, the content, file size and file hash are different,” BlackBerry explained. doing.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
“If the user is not within the Pakistani IP range, the server will return an 8-byte RTF file (file.rtf) containing a single string: \rtf1 . However, if the user is within the Pakistani IP range If so, the server then returns an RTF payload, varying in size between 406 KB and 414 KB.”
The disclosure comes on the heels of Fortinet and Team Cymru disclosing details of attacks carried out against defense and military targets in India by a Pakistan-based threat actor known as SideCopy.
“The latest SideWinder campaign targeting Turkey overlaps with recent geopolitical developments, specifically Turkey’s support for Pakistan and subsequent Indian reaction,” BlackBerry said.
