Cybersecurity researchers unearth previously undocumented attack infrastructure used by a large state-sponsored group side winder Attack organizations in Pakistan and China.
It comprises a network of 55 domains and IP addresses used by threat actors, according to a joint report shared with The Hacker News by cybersecurity firms Group-IB and Bridewell.
Researchers Nikita Rostovtsev, Joshua Penney and Yashraj Solanki said the identified phishing domains mimic various organizations in the news, government, telecommunications and financial sectors. .
SideWinder has been known to be active since at least 2012, and its attack chain primarily utilizes spear phishing as an intrusion mechanism to gain a foothold into the target’s environment.
The group’s target range is widely believed to be related to Indian espionage. Countries most frequently attacked include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, Philippines, Qatar and Singapore.
Earlier this February, Group-IB uncovered evidence that SideWinder may have targeted 61 governments, military, law enforcement and other organizations across Asia between June and November 2021. .
This nation-state group was recently observed to utilize a technique known as server-based polymorphism in evasion attacks targeting Pakistani government entities.
The newly discovered domain mimics government agencies in Pakistan, China, and India, featuring the same values in their WHOIS records and similar registries.
Some of these domains host government-themed decoy documents designed to download unknown next-stage payloads.
Most of these documents were uploaded to VirusTotal from Pakistan in March 2023. One of them is a Microsoft Word file, allegedly from the Pakistan Naval War College (PNWC), which both QiAnXin and BlackBerry have analyzed in recent months.
We also found a Windows shortcut (LNK) file uploaded to VirusTotal from Beijing in late November 2022. The LNK file itself is designed to run an HTML Application (HTA) file obtained from a remote server impersonating Tsinghua University. E-mail system (mailtsinghua.sinacn[.]unit).
Another LNK file uploaded to VirusTotal from Kathmandu around the same time uses a similar method to retrieve an HTA file from a domain masquerading as the Nepalese government website (mailv.mofs-gov).[.]organization).
Further investigation of SideWinder’s infrastructure revealed a malicious Android APK file (226617) uploaded to VirusTotal from Sri Lanka in March 2023.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
Disguised as a “Ludo game”, this rogue Android app asks users to grant access to their contacts, location, call logs, SMS messages, and calendar, effectively acting as spyware that can collect sensitive information. .
Group-IB also showed similarities to the fake Secure VPN app, which the company said was distributed to targets in Pakistan via a traffic directing system (TDS) called AntiBot in June 2022. said there is.
Collectively, these domains demonstrate that SideWinder is targeting e-commerce and mass media specialists in Pakistan and China, as well as financial, government and law enforcement agencies.
“Like many other APT groups, SideWinder relies on targeted spear phishing as a first vector,” the researchers said. “Therefore, it is critical for organizations to deploy a business email protection solution that detonates malicious content.”
