The infamous hacker group Sidewinder, now utilizing updated infrastructure and methods for compromising victims, has launched a new campaign targeting ports and sea objects in the Indian Ocean and the Mediterranean Sea, according to the BlackBerry Research Group. The data analysis reveals that hackers are using phishing letters with logos specific to ports in Pakistan, Egypt, and Sri Lanka, as well as subdomains indicating additional targets in Bangladesh, Myanmar, Nepal, and the Maldives. The purpose of these attacks is espionage and intelligence collection.
Sidewinder, also known as Razor Tiger, Rat Tlesnake, and T-Apt-04, has been active since 2012 and is believed to have direct ties to India. The group has previously targeted military, government, and business structures in Pakistan, Afghanistan, China, and Nepal. For their attacks, Sidewinder employs targeted phishing methods, the exploitation of office documents, and DLL Sideloading. The initial phase usually involves the victim downloading and opening an infected document with a low detection level on VirusTotal, triggering the next phase of the attack.
The documents used in these attacks appear to be legitimate documents from official organizations. In one instance, fake documents imitated port infrastructure documents such as those from the port of Alexandria in the Mediterranean Sea and the port control of the Red Sea. These documents are designed to evoke strong emotions in victims, such as fear or anxiety, to prompt immediate opening. Technical analysis reveals that Sidewinder exploits the vulnerability CVE-2017-0199 in Microsoft Office for the initial system compromise, with malicious documents containing URL addresses leading to hacker-controlled sites for downloading additional malicious files.
Further in the attack, Sidewinder loads RTF files exploiting the vulnerability CVE-2017-11882, which includes shell code to check the victim’s system. If the system is compatible, a program decrypts and launches a JavaScript code to load the next stage of the attack from a remote server. Sidewinder has also identified domains and IP addresses used for command-control infrastructure, with an old Tor node utilized to mask traffic analysis.
Researchers are monitoring Sidewinder’s activities and releasing compromise indicators (IOC) to help organizations defend against these attacks. To safeguard against Sidewinder attacks, it is advisable to regularly update security systems, train employees to recognize phishing attempts, and implement advanced email filtering solutions to detect and prevent threats.