SideWinder Espionage Hits Maritime Facilities in 2024
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.
“SideWinder makes use of email spear-phishing, document exploitation, and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants,” the Canadian cybersecurity company said in an analysis published last week.
BlackBerry Threat Research and Intelligence team
As part of continuous threat hunting efforts the BlackBerry Threat Research and Intelligence team has discovered a new campaign by the nation-state threat actor known as SideWinder. They have been actively tracking this threat actor since our last report on the group in mid-2023. SideWinder has since upgraded its infrastructure and now utilizes new techniques and tactics in its efforts to compromise victims.
By analyzing the data uncovered during our research, which includes highly specific logos and themes in the phishing emails sent by the group, they conclude with medium confidence that SideWinder’s new campaign is targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
Domains and documents used with the first stage delivery imply targeting of Pakistan, Egypt and Sri Lanka. Subdomains used with the second stage delivery indicate additional targeting of Bangladesh, Myanmar, Nepal, and the Maldives.
Based on SideWinder’s prior campaigns, they believe that the goal of this new campaign is espionage and intelligence gathering.
Tactics, Techniques, and Procedures (TTPs)
Weaponization and Technical Overview
Weapons | Malicious documents, Obfuscated JavaScript |
---|---|
Attack Vector | Weaponized document used for targeted attack |
Network Infrastructure | Phishing domains |
Targets | Maritime organizations in the Mediterranean Sea and the Indian Ocean |
Visual Bait Documents
The latest set of attacks employ lures related to sexual harassment, employee termination, and salary cuts in order to negatively impact the recipients’ emotional state and trick them into opening booby-trapped Microsoft Word documents.
Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan’s Directorate General Ports and Shipping (“reports.dgps-govtpk[.]com”) to retrieve an RTF file.
The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that’s responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.
Exploitation Techniques
Upon opening the decoy file, it relies on a remote template injection technique (CVE-2017-0199) to gain initial access to the target’s system. This vulnerability impacts Microsoft Office and allowed attackers to use a specially-crafted document embedding an OLE2link object to spread malware.
The phishing emails include a malicious document which contains a plain text URL linking to a site controlled by the attacker. When the document is opened, it accesses this URL to download the next stage of the malware. Specifically, an RTF file exploits the CVE-2017-11882 vulnerability to execute shellcode, which checks whether the system is a real machine (not a virtual machine) before decrypting the malicious code and running JavaScript code that loads additional malicious payloads from a remote server. This method helps evade detection by security teams.
Network Infrastructure
The threat actor maintains a large C2 infrastructure composed of more than 400 domains and subdomains that were used to host malicious payloads and control them.
The stage two command-and-control (C2) utilizes an old Tor node, 91[.]223.208[.]175, possibly as a means of obfuscating network analysis. Tor, an acronym for The Onion Router, is a network that masks online traffic to provide anonymous web browsing.
However, delivery infrastructure for the second stage can still be identified via an 8-byte file, an RTF document returned by the C2 when outside of the geofence.
Similar domain naming structure and registration times show multiple domains ready to be used by SideWinder. Similarly, protective DNS (PDNS) data for the stage two C2 yields a number of targets. PDNS is a security service that analyzes DNS queries and takes action to mitigate threats, such as preventing access to domains known to be malicious.
Additional Recommendations
- Due to the abuse of CVE-2017-0199 by SideWinder in this campaign, it would be prudent for organizations to keep all systems, especially those using Microsoft Office, current with the most recent security patches. See Microsoft’s official Security Updates site for the relevant patches.
- Phishing awareness training is a must for any organization, large or small. Employees should be taught the ‘red flags’ of a phishing email or document, encouraged to report suspicious emails, and trained (through security exercises if need be) not to open attachments or click on links in unsolicited documents.
- Implement advanced email filtering solutions to identify and block phishing emails that could carry malicious Word documents. Since the advent of deepfakes and generative AI, it’s getting harder for even well-trained personnel to tell the difference between a real and a falsified communication from what appears to be an official source.
- Consider investing in advanced threat detection and response solutions capable of real-time threat identification and remediation, and subscribing to cyber threat intelligence services to stay up to date with attacker tactics, techniques, and procedures.
Conclusion
The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions. The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future.
At the time of publication, there seems to no observed samples of the JavaScript delivered in the last stage of the attack. However, based on SideWinder’s prior campaigns, it could be believed that the goal of this campaign is espionage and intelligence gathering.