A nation-state threat entity known as SideWinder has been attributed to a new cyberespionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
BlackBerry Research and Intelligence Group, which revealed Due to this activity, countries such as Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal and Maldives are targeted by the phishing campaign.
SideWinder, which also goes by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake and Razor Tiger, is believed to be linked to India. It has been in operation since 2012, often using phishing as a vector to deliver malicious payloads that trigger attack chains.
“SideWinder uses email phishing, document exploitation, and DLL sideloading techniques to evade detection and deliver targeted implants,” the Canadian cybersecurity firm said in an analysis released last week.
The latest series of attacks uses the lure of sexual harassment, layoffs, and salary cuts to emotionally influence recipients into opening mined Microsoft Word documents.
Once the cheat file is opened, it exploits a known security flaw (CVE-2017-0199) to make contact with a malicious domain masquerading as Pakistan General Directorate of Ports and Shipping (“reports.dgps-govtpk(.)com”) to obtain an RTF file.
The RTF document, in turn, loads the document it uses CVE-2017-11882another long-standing security vulnerability in the Microsoft Office Equation editor to execute shellcode responsible for running JavaScript code, but only after ensuring that the compromised system is legitimate and of interest to the threat actor.
It is currently unknown what is being delivered via the JavaScript malware, although the ultimate goal is likely to be intelligence gathering based on previous campaigns orchestrated by SideWinder.
“The SideWinder threat actor continues to improve its infrastructure to target victims in new regions,” BlackBerry said. “The continued development of network infrastructure and delivery payloads suggests that SideWinder will continue its attacks for the foreseeable future.”
