SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack
An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa.
The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.
“The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations,” Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said.
Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the U.A.E.
SideWinder has also been observed setting its sights on diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.
The most significant aspect of the recent campaign is the use of a multi-stage infection chain to deliver a previously unknown post-exploitation toolkit called StealerBot.
It all commences with a spear-phishing email with an attachment – either a ZIP archive containing a Windows shortcut (LNK) file or a Microsoft Office document – that, in turn, executes a series of intermediate JavaScript and .NET downloaders to ultimately deploy the StealerBot malware.
The documents rely on the tried-and-tested technique of remote template injection to download an RTF file that is stored on an adversary-controlled remote server. The RTF file, for its part, triggers an exploit for CVE-2017-11882, to execute JavaScript code that’s responsible for running additional JavaScript code hosted on mofa-gov-sa.direct888[.]net.
On the other hand, the LNK file employs the mshta.exe utility, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files, to run the same JavaScript code hosted on a malicious website controlled by the attacker.
The JavaScript malware serves to extract an embedded Base64-encoded string, a .NET library named “App.dll” that collects system information and functions as a downloader for a second .NET payload from a server (“ModuleInstaller.dll”).
ModuleInstaller is also a downloader, but one that’s equipped to maintain persistence on the host, execute a backdoor loader module, and retrieve next-stage components. But in an interesting twist, the manner in which they are run is determined by what endpoint security solution is installed on the host.
“The Bbckdoor loader module has been observed since 2020,” the researchers said, pointing out its ability to evade detection and avoid running in sandboxed environments. “It has remained almost the same over the years.”
“It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension.”
The end goal of the attacks is to drop StealerBot via the Backdoor loader module. Described as a .NET-based “advanced modular implant,” it is specifically geared to facilitate espionage activities by fetching several plugins to –
- Install additional malware using a C++ downloader
- Capture screenshots
- Log keystrokes
- Steal passwords from browsers
- Intercept RDP credentials
- Steal files
- Start reverse shell
- Phish Windows credentials, and
- Escalate privileges bypassing User Account Control (UAC)
“The implant consists of different modules loaded by the main ‘Orchestrator,’ which is responsible for communicating with the [command-and-control] and executing and managing the plugins,” the researchers said. “The Orchestrator is usually loaded by the backdoor loader module.”
Kaspersky said it detected two installer components – named InstallerPayload and InstallerPayload_NET – that don’t feature as part of the attack chain, but are used to install StealerBot to likely update to a new version or infect another user.
The expansion of SideWinder’s geographic reach and its use of a new sophisticated toolkit comes as cybersecurity company Cyfirma detailed new infrastructure running the Mythic post-exploitation framework and linked to Transparent Tribe (aka APT36), a threat actor believed to be of Pakistani origin.
“The group is distributing malicious Linux desktop entry files disguised as PDFs,” it said. “These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and evading detection.”
“APT36 is increasingly targeting Linux environments due to their widespread use in Indian government sectors, particularly with the Debian-based BOSS OS and the introduction of Maya OS.”