An Advanced Persistent Threat Entity (APT), believed to have links to India, has carried out a flurry of attacks against prominent organizations and strategic infrastructure in the Middle East and Africa.
The activity was assigned to a group tracked as SideWinderwhich is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger and T-APT-04.
“The group may be perceived as a low-level actor due to the use of public exploits, malware and LNK scripts as infection vectors, as well as the use of public RATs, but their true capabilities only become apparent when you closely examine the details of their operation,” researchers Kaspersky Giampaolo Dedola and Vasyl Berdnikov said.
The targets of the attacks are government and military structures, logistics, infrastructure and telecommunications companies, financial institutions, universities and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri- Lanka, Turkey and UAE
SideWinder has also been seen targeting diplomatic facilities in Afghanistan, France, China, India, Indonesia and Morocco.
The most important aspect of the recent campaign is the use of a multistage infection chain to deliver a previously unknown post-exploitation toolkit called StealerBot.
It all starts with a phishing email with an attachment – either a ZIP archive containing a Windows Shortcut (LNK) file or a Microsoft Office document – which in turn executes a series of JavaScript and .NET intermediate loaders to finally deploy the StealerBot malware.
The documents rely on a tried-and-tested remote injection pattern technique to download an RTF file stored on a remote server controlled by an adversary. The RTF file, on the other hand, launches an exploit for the CVE-2017-11882to execute the JavaScript code responsible for running the additional JavaScript code located at mofa-gov-sa.direct888(.)net.
On the other hand, the LNK file uses mshta.exe utility, a native Windows binary designed to execute Microsoft HTML Application (HTA) files to run the same JavaScript code hosted on a malicious website controlled by an attacker.
The JavaScript malware is used to extract an embedded string in a Base64-encoded .NET library named “App.dll” that collects system information and functions as a loader for a second .NET payload from the server (“ModuleInstaller.dll”).
ModuleInstaller is also a loader, but it is equipped to maintain persistence on the host, execute the module backdoor loader, and retrieve the next-stage components. But in an interesting twist, the way they run is determined by which endpoint security solution is installed on the host.
“The Bbckdoor bootloader module has been observed since 2020,” the researchers said, pointing to its ability to evade detection and avoid sandboxing. “It’s stayed pretty much the same for years.”
“It was recently updated by an attacker, but the main difference is that the older versions are configured to download an encrypted file using a specific file name built into the program, while the latest versions were designed to list all files in the current directory and download those without an extension.”
The ultimate goal of the attacks is to remove StealerBot via a backdoor download module. Described as an “advanced modular implant” based on .NET, it is specifically designed to facilitate espionage by providing multiple plugins to –
- Install additional malware using a C++ downloader
- Take screenshots
- Record keystrokes
- Steal passwords from browsers
- RDP credential interception
- Steal files
- Start a reverse shell
- Phish windows credentials and
- Elevation of privileges to bypass User Account Control (UAC)
“The implant consists of various modules loaded by a master ‘Orchestrator’ that is responsible for communicating with (command and control) and executing and managing the plug-ins,” the researchers said. “Orchestrator is normally loaded by the backdoor loader module.”
Kaspersky said it discovered two installer components – InstallerPayload and InstallerPayload_NET – that are not part of the attack chain, but are used to install StealerBot, possibly to update a new version or infect another user.
SideWinder’s geographic expansion and use of a sophisticated new toolset comes as cybersecurity firm Cyfirma detailed a new infrastructure powered by A mythical structure after exploitation and associated with Transparent tribe (aka APT36), a threat actor believed to originate from Pakistan.
“The group distributes Linux desktop malware disguised as PDF files,” the report said said. “These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and avoiding detection.”
“APT36 is increasingly targeting Linux environments due to their widespread use in Indian public sectors, especially with the Debian-based BOSS OS and the emergence of My OS.”
