[This article was updated on 2/17/2023 with corrections to a malware variant name as well as airdrop details and how SideWinder is using cryptocurrency lures]
Researchers have linked the slippery SideWinder APT to two malicious campaigns — one in 2020 and one in 2021 — that add more volume to an attack spree attributed to the prolific threat actor over the past several years and demonstrate how extensive its arsenal of tactics and tools really is.
A report published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known 2020 attack on the Maldivian government, as well as a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.
The findings show the group casting a far wider net than previously thought using a trove of tools, including previously unidentified remote access Trojans (RATs), backdoors, reverse shells, and stagers. Researchers' investigation of these attacks also links the group to other known APTs, including Baby Elephant — which may in fact be SideWinder itself — and Donot APT, they said.
The report also sheds more light on the geographically dispersed nature of the group's operations, with researchers uncovering IP addresses controlled by SideWinder located in the Netherlands, Germany, France, Moldova, and Russia, the researchers said.
SideWinder, active since 2012, was detected by Kaspersky in the first quarter of 2018 and thought to primarily target Pakistani military infrastructure. However, this latest report shows that the target range of the group — widely believed to be associated with Indian espionage interests — is far broader than that.
"SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years," Dmitry Kupin, a senior malware analyst on Group-IB's Threat Intelligence team, wrote in the report.
Specifically, researchers identified more than 60 targets — including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations, and more — of the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
Sophisticated Phishing Resources
The phishing attacks — in which SideWinder impersonates known entities in an attempt to lure victims — also demonstrated how vast its phishing infrastructure is, the researchers said. This makes sense, as spear-phishing has long been the group's initial-access method, they said.
The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.
In the phishing attacks between June 2021 and November 2021, the group impersonated both the Central Bank of Myanmar, using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as Nitro Network.
The campaigns also are notable because they demonstrate SideWinder's interest in the crypto industry. The attackers attempted to steal user credentials by imitating an airdrop of NCASH crypto, the researchers said. NCASH is used as a payment means in the Nucleus Vision ecosystem, which retail stores in India have been using, they said.
Specifically, researchers uncovered a phishing link related to a cryptocurrency airdrop, they said. When users visited the link (http://5[.]2[.]79[.]135/project/project/index.html) they were asked to register in order to participate in an airdrop and receive tokens, though it was not specified which ones. By pressing the "Submit details" button, the user activates a script login.php, which researchers believe the group is using to further develop this attack vector.
Tools and Telegram
Group-IB also discovered a trove of custom tools used by SideWinder, only some of which had been described publicly before, developed in various programming languages including C++, C#, Go, Python (compiled script), and VBScript.
Part of that arsenal is the group's newest custom tool, SideWinder.StealerPy, an info-stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.
The script can extract a victim's browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of .docx, .pdf, and .txt files. It's a key part of the group's notoriety for conducting "hundreds of espionage operations within a short span of time," Kupin wrote.
Another and perhaps the "most interesting finding" regarding SideWinder's tools arsenal were RAT samples that used the Telegram messaging app as a channel for receiving the results of malware commands and thus retrieve data stolen from compromised systems, Kupin noted.
This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.
How to Stave Off SideWinder
The report includes a vast array of indicators of compromise as well as URLs associated with SideWinder attacks.
Because like many other APT groups SideWinder relies on targeted spear-phishing as the initial attack vector, it's important for organizations "to set up business email protection solutions that are capable of detonating malicious attachments in an isolated virtual environment," Kupin tells Dark Reading. Enterprises should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.
Organizations at risk from SideWinder also should continuously monitor network activity within the organization's perimeter by employing managed extended detection and response (MXDR) solutions that are regularly updated with fresh network indicators and rules, Kupin says.