Specialists from Kaspersky Lab have uncovered a new wave of targeted cyber attacks carried out by the Sidewinder group. The attackers are utilizing a new espionage tool called Stealerbot, with a focus on large organizations and strategic infrastructure in the regions of the Middle East and Africa.
The Sidewinder cyberggroup, also known as T-APT-04 or RatTlesnake, was initially identified by cybersecurity experts in 2012 and has since remained one of the most active groups in the world. In 2018, Kaspersky Lab reported on their activities, which primarily targeted military and state institutions in countries such as Pakistan, Sri Lanka, China, Nepal, as well as companies and organizations in South and Southeast Asia.
Sidewinder utilized malicious documents that exploited vulnerabilities in Microsoft Office programs for their attacks. They also employed other file formats like LNK, HTML, and HTA, which were distributed in archives. To trick victims into opening the malicious files, the documents often contained information from popular websites to give them an air of legitimacy. The group used a variety of malware families, including custom-designed and modified versions of publicly available Remote Access Trojans (RATs).
Recent developments have seen Sidewinder expanding the scope of their attacks to include organizations in the Middle East and Africa. They have also introduced a new tool for espionage – Stealerbot. This sophisticated implant is specifically tailored for spy operations and has become the primary instrument for the group post-exploitation of vulnerabilities.
Stealerbot is capable of executing various tasks, such as installing additional malware, capturing screenshots, logging keystrokes, stealing browser passwords, intercepting RDP accounts, and extracting files. According to Kaspersky Lab, detecting Stealerbot is extremely challenging as the program is structured in a modular fashion, with components loaded directly into the RAM rather than stored on the hard disk.
The central component in Stealerbot, known as the “orchestra,” plays a crucial role in controlling the operation, communicating with the attackers’ command server, and coordinating the actions of all the program modules. This sophisticated design makes tracking and identifying the malware even more complex.