The distinctive rattle of APT SideWinder

Introduction

In February 2023, Group-IB’s Threat Intelligence team released a technical report about previously unknown phishing attacks conducted by the APT group SideWinder: Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021. As always, Group-IB customers and partners were the first to get access to the report through the interface of Group-IB’s Threat Intelligence platform.

One of them was Bridewell, a leading cyber security services company based in the UK and a long-standing MSSP partner of Group-IB in Europe. Our colleagues from Bridewell have been using Group-IB’s Threat Intelligence, Digital Risk Protection, and Attack Surface Management solutions to support the cybersecurity services they offer to its customers.

Bridewell’s in-house threat intelligence experts read Group-IB’s report on SideWinder and came up with their own significant findings about SideWinder. The Bridewell team shared this information with our Threat Intelligence unit, which led to this joint blog post. By bringing together the research capabilities of both companies, we developed and described new hunting methods so that we could track one of the most prolific APT groups more efficiently.

Group-IB and Bridewell’s joint research describes how to use publicly available tools to monitor known SideWinder infrastructure and reveals new malicious servers that could be used in future attacks.

This blog post provides details of previously unknown infrastructure belonging to APT SideWinder. In addition, Group-IB and Bridewell researchers share hunting rules for Shodan to help cybersecurity specialists, threat hunters, and corporate cybersecurity teams pre-empt and prevent SideWinder attacks.

Acknowledgements: We would like to thank Dmitry Kupin for contributing to this blog post.

Key findings

• SideWinder’s servers can be detected using several hunting rules described in this blog post.
• Group-IB and Bridewell detected 55 previously unknown IP addresses that SideWinder could use in future attacks.
• The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors.
• SideWinder uses the identified servers as A records for domains that mimic government organizations in Pakistan, China, and India. These domains are listed in the “Who are SideWinder’s potential targets?” section of this blog post.
• We discovered an APK sample for Android devices. The sample is similar to one mentioned in Group-IB’s blog post SideWinder.AntiBot.Script.

Tracking SideWinder’s infrastructure

Description of hunting rules

For several years, SideWinder has been using a unique method of deploying and maintaining its malicious servers. The APT’s infrastructure is distinct in that servers always return a response with the 404 status code and the Not Found content when the root page is accessed.

Malicious content is returned only if the victim follows a special link received through either phishing emails or phishing posts on social media (for example in dedicated Facebook groups). SideWinder’s network infrastructure can be tracked using the search engines Shodan and Censys if unique parameters are set correctly.

Our research focuses on 119 IP addresses, which can be divided into two categories: the first one comprises the APT’s known IP addresses, while the second category covers the group’s IP addresses that have not been publicly revealed before. A table with all network indicators can be found at the end of this blog post.

Shodan hunting rules

SideWinder’s infrastructure can be tracked by using the hunting rules described below in Shodan. We describe infrastructure links based on these queries.

Using these hunting rules, Group-IB and Bridewell specialists discovered 119 IP addresses that they attributed to SideWinder, 64 of which were either known to us or mentioned in public descriptions of the group’s attacks. The other 55 IP addresses belonging to SideWinder have not been described before.

Known IP addresses

Based on the data obtained using the hunting rules, the following IP addresses and domains were identified. These are publicly known addresses used by SideWinder and are mentioned here to show that the hunting rules used are accurate.

Previously unknown IP addresses

This section lists the IP addresses and domains that were unknown at the time of our analysis. We have attributed them with high confidence to SideWinder. We believe that the threat actors could potentially use this infrastructure in future attacks.

All the listed IP addresses were found using hunting rules that we created and have provided in the “Shodan hunting rules” section. Furthermore, two domains from this list (storeapp[.]site and ridlay[.]live) are linked to SideWinder’s known infrastructure through the use of identical registration data in WHOIS records, as shown by Group-IB’s Threat Intelligence platform:

The screenshot shows that the domains fia-gov[.]com, hread[.]live, cplix[.]live, govpk-mail[.]org, appsrv[.]live, ridlay[.]live, bismillah[.]tech, and storeapp[.]site are interrelated — they use of the same values in WHOIS records (13th street auckland) and similar registration data.

Related files

Analysis of SideWinder’s network infrastructure revealed files related to it. The files are listed in the table below.

All the files in the table above are part of the first attack stage, which is intended for downloading the payload (the next stage). At the time of analysis, the payload was not obtained. Below we look at the files listed in the table in more detail.

LKGOD.docx

The malicious file LKGOD.docx was discovered in March 2023 by a Twitter user with the handle @StopMalvertisin.

The file was uploaded to VirusTotal for the first time on March 21, 2023 at 06:46:34 UTC from Pakistan (the city of Islamabad, source: the Web).

File contents (decoy):

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template: hxxs://paknavy[.]defpak[.]org/5973/1/8665/2/0/0/0/m/files-f8fd19ec/file.rtf

Product.docx

The malicious file Product.docx was also discovered in March 2023 by the Twitter user @StopMalvertisin.  

The file was uploaded to VirusTotal on March 10, 2023 at 05:14:05 UTC from Pakistan (the city of Karachi, source: the Web)

File contents (decoy):

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template: hxxps://cstc-spares-vip-163[.]dowmload[.]net/14668/1/1228/2/0/0/0/m/files-403a1120/file.rtf

Leakage of Sensitive Data on Dark Web.docx

The malicious file Leakage of Sensitive Data on Dark Web.docx was also discovered by @StopMalvertisin.

The file was uploaded to VirusTotal on March 10, 2023 at 05:21:10 UTC from Pakistan (the city of Karachi, source: the Web).

File contents (decoy):

It is worth noting that the contents of the document are identical to those of LKGOD.docx.

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template: hxxps://mtss[.]bol-south[.]org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file.rtf

GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).docx

The malicious file GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).docx was discovered by the Twitter user @RedDrip7.

The file was uploaded to VirusTotal for the first time on November 30, 2022 at 10:17:20 UTC from the UK (city unknown, source: the Web).

File contents (decoy):

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template: hxxs://pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file.rtf

公管学院关于11月22日起工作安排调整的通知.docx.lnk

The malicious file 公管学院关于11月22日起工作安排调整的通知.docx.lnk was discovered by the user @Axel_F5: 

This LNK file is contained in the archive 公管学院关于11月22日起工作安排调整的通知.zip, which was distributed via email:

• Email subject: 公共管理学院关于11月22日起工作安排调整的通知 (Notice of the School of Public Administration on the adjustment of work arrangements from November 22)
• Sender: 陈蕾 (Chen Lei) sppmdw@mail[.]tsinghu[.]edu[.]cn[.]aliyu[.]co

The archive  公管学院关于11月22日起工作安排调整的通知.zip was uploaded to VirusTotal for the first time on November 24, 2022 at 13:43:55 UTC from China (the city of Beijing, source: the Web).

Launching the LNK file executes the following command:

The LNK file creates a copy of %Windows%\System32\mshta.exe with the name %ProgramData%\jkli.exe and launches jkli.exe (mshta.exe) to download and execute an HTA file, which is located at hxxps://mailtsinghua[.]sinacn[.]co/3679/1/55554/2/0/0/0/m/files-94c98cfb/hta.

We came across a similar archive earlier, virus student Data Base 8 (1).zip, which was uploaded to VirusTotal on October 16, 2022 at 17:55:40 UTC from Sweden (the city of Stockholm, source: the Web). Like in the previous case, the target of SideWinder’s attack may have been Tsinghua University, one of the leading universities in China (tsinghua.edu.cn).

It is worth noting that the LNK file 公管学院关于11月22日起工作安排调整的通知.docx.lnk was added to the archive 公管学院关于11月22日起工作安排调整的通知.zip on November 22, 2022, while the LNK file student Data Base 8.pdf.lnk was added to the archive virus student Data Base 8 (1).zip on March 3, 2022.

A similar LNK file, student Data Base 8.pdf.lnk, launches mshta.exe and downloads and executes an HTA file located at hxxps://mail[.]tsinghua[.]institute/3206/1/25395/2/0/1/1863616521/3DIm0LGMztTur2KVczxFjB36rLfwnHf9DwWAo2oI/files-5b71f8ef/hta (the domain: mail[.]tsinghua[.]institute).

राष्ट्रिय गौरवका आयोजना अध्ययन प्रतिवेदन, २०७९.docx.lnk

The malicious file राष्ट्रिय गौरवका आयोजना अध्ययन प्रतिवेदन, २०७९.docx.lnk was discovered by a Twitter user with the handle @jaydinbas.

The LNK राष्ट्रिय गौरवका आयोजना अध्ययन प्रतिवेदन, २०७९.docx.lnk is contained in an archive (whose original name is unknown) that was uploaded to VirusTotal on November 24, 2022 at 10:15:01 UTC from Nepal (the city of Kathmandu, source: Community).

Launching the LNK executes the following command:

The LNK creates a copy of %Windows%\System32\mshta.exe with the name %ProgramData%\jkli.exe and launches jkli.exe (mshta.exe) to download and execute an HTA file located at hxxps://mailv[.]mofs-gov[.]org:443/3669/1/24459/2/0/1/1850451727/6JOo39NpphBz5V3XOKZff9AGJH3RNAJuLvBQptc1/files-94603e7f/hta. This LNK file is similar to the LNK file 公管学院关于11月22日起工作安排调整的通知.docx.lnk mentioned above.

The LNK राष्ट्रिय गौरवका आयोजना अध्ययन प्रतिवेदन, २०७९.docx.lnk was added to the archive on November 23, 2022.

226617

Analysis of the group’s infrastructure by Bridewell specialists revealed a malicious APK file, 226617, which was uploaded to VirusTotal on March 23, 2023 at 09:34:02 UTC from Sri Lanka (the city of Colombo, source: the Web). The Group-IB team analyzed the sample.

The APK file 226617 is an Android application disguised as the game Ludo.

The application is a downloader type of malware that downloads the encrypted payload at hxxps://games[.]srv-app[.]co/669/1/1970/2/0/0/1764305594/2X1R9Tw7c5eSvLpCCwnl0X7C0zhfHLA6RJzJ0ADS/files-82dfc144/appxed. The payload is a DEX file, launched using the class DexClassLoader.

The link is Base64-encoded and encrypted using the AES-256 ECB algorithm with the key {7e 51 73 44 54 49 ac a1 fe 99 25 f3 25 29 58 e3 5a 45 7c cd 89 d4 87 78 34 3f b2 df c2 60 2c 21} (32 bytes).

Example of the link decrypted in CyberChef:

In addition, the malware has an autostart functionality when the targeted mobile device loads. It is worth noting that the application partially matches and has similar functionalities to the code of the application Secure VPN_3.9_apkcombo.com.apk (SHA-1: c6effe7fcd87f643aebc427e127dd7b00865eafd), which was discovered by Group-IB Threat Intelligence experts in as early as 2021.

Experts at Qi An Xin have described SideWinder’s Android applications with similar code. Their analysis also mentions the application Secure VPN_3.9_apkcombo.com.apk. Moreover, previous samples featured a similar domain, register[.]srvapp[.]co (games[.]srv-app[.]co in our case).

The two applications, 226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4) and Secure VPN_3.9_apkcombo.com.apk (SHA-1: c6effe7fcd87f643aebc427e127dd7b00865eafd) are compared below.

The matching apk_name value “Almighty Allah” in the applications’ string resources

Checking root privileges on a mobile device:

Downloading the DEX file using a URL:

A DEX file being loaded into device memory:

List of permissions checked:

Saving the file downloaded from the command-and-control (C2) server as “/data/data/<package_name>/files/fex/permFex/8496eac3cc33769687848de8fa6384c3”:

Hosting infrastructure

This graph shows the distribution of malicious domains by hosting service provider, for providers known to be used by SideWinder.

SideWinder often registers domains whose URL addresses mimic various organizations in Pakistan and China. In June 2022, Group-IB specialists published a blog post (SideWinder.AntiBot.Script) in which they described the group’s resources whose URLs mimic Pakistani organizations. It is worth noting that website contents are sometimes drastically different from what the name suggests.

Who are SideWinder’s potential targets?

The domains discovered by Bridewell and Group-IB specialists suggest that SideWinder could have planned attacks against financial and government organizations, as well as companies specialized in e-commerce and mass media in Pakistan and China.

Conclusion

SideWinder is among the most active and prolific threat actors out there. According to Group-IB, between June and November 2021 the group may have targeted as many as 61 organizations in Asia. 

While investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists identified and attributed a large part of the group’s infrastructure, namely 55 domains and IP addresses. In addition, our analysis revealed phishing domains imitating news, finance, media, government, and telecommunications companies.

A close look at the infrastructure used by any group will almost always help with writing hunting rules that can be then used to learn about that group’s attacks in the making and respond to them preemptively. The network indicators provided in this blog post can be used to protect against SideWinder proactively and to search for new infrastructure used by the group.

Like many other APT groups, SideWinder relies on targeted spear phishing as the initial vector. It is therefore important for organizations to deploy business email protection solutions that detonate malicious content.

To enrich indicators of compromise and stay up to date with relevant threats, it is more effective to use threat intelligence solutions.

If your company’s specialists analyze the activity of this or any other APT group, we would be happy to conduct a joint analysis and publish it on our blog.

#FightAgainstCybercrime
#WeStopAttackers

You might also like:

SideWinder.AntiBot.Script. APT SideWinder’s new tool that narrows their reach to Pakistan

Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021

SimpleHarm: Tracking MuddyWater’s infrastructure

Indicators