Go to listing page

SideWinder APT Targeting New Regions Using New Tools

SideWinder APT Targeting New Regions Using New Tools
Dozens of new cyberattack tools and regional targets associated with the SideWinder APT group have been uncovered by Group-IB. It has released a report that not only explains the techniques and functionality of SideWinder's new tools but also reveals the phishing operations of the group in 2021, which were based on backup archives obtained by the researchers. The archives contained various phishing projects that were aimed at South and East Asian government, military, and law agencies.

Diving into details

From June to November 2021, the SideWinder threat actors made attempts to attack 61 targets
  • These included government, military, law enforcement, central banks, telecoms, media, and political organizations in Bhutan, Afghanistan, Sri Lanka, Myanmar, and Nepal. 
  • The primary method of attack used by SideWinder continues to be spear-phishing emails, which were directed at the aforementioned targets. Two of the campaigns involved emails that were designed to impersonate a cryptocurrency firm, NCASH crypto.
  • The group was also found to be linked to a 2020 attack on the Maldives government.

Home-made tools

The researchers found two new home-grown tools used by SideWinder APT during the campaign: SideWinder.RAT.b and SideWinder.StealerPy.
  • SideWinder.StealerPy is designed to harvest various data, including Google Chrome browsing history, saved browser credentials, meta information, list of directories, and contents of docx, pdf, and txt files.
  • Both SideWinder.RAT.b and SideWinder.StealerPy use Telegram to communicate with the compromised target machines.
  • SideWinder’s arsenal, furthermore, contains downloaders in LNK and HTA files; stagers such as Meterpreter; reverse shells; RATs; and others.

The bottom line

SideWinder APT group has been active for a significant period of time and is known to frequently update its tools and techniques while constantly modifying its attack scenarios. The threat actor is also regarded as one of the most prolific groups and has been known to establish new phishing resources every month, conducting malicious campaigns aimed at collecting and exfiltrating valuable information. Given the groups’s financial backing and target list, researchers anticipate this threat to keep evolving and expanding.
Cyware Publisher

Publisher

Cyware