Researchers Reveal SideWinder’s Latest Server-Based Polymorphism Technique
An advanced persistent threat actor (APT) known as SideWinder has been accused of deploying backdoors in attacks aimed against Pakistani government organizations as part of a campaign that started in late November 2022.
“In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage of payload,” said the BlackBerry Research and Intelligence Team. said in a technical report published Monday.
Another campaign uncovered by a Canadian cybersecurity firm in early March 2023 suggests Turkey is also in the priority crosshairs of threat actor gathering.
SideWinder has been on the radar since at least 2012 and is known to target various Southeast Asian entities located in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal and Sri Lanka.
Suspected of being an Indian state-sponsored group, SideWinder was also tracked under the names APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4.
Typical actor-mounted attack sequences require the use of carefully crafted and e-mail lures ETC side loading technique to fly under the radar and deploy malware capable of giving actors remote access to targeted systems.
Over the last year, SideWinder has linked to cyberspace directed attack at the Pakistan Navy War College (PNWC) as well Android malware campaign which utilizes rogue phone cleaner and VPN apps uploaded to Google Play Store harvesting sensitive information.
The latest infection chain documented by BlackBerry reflects findings from Chinese cybersecurity firm QiAnXin in December 2022 detailing the use of a PNWC decoy document to drop a lightweight .NET-based backdoor (App.dll) capable of fetching and executing next-stage malware from a remote server. .
What also made this campaign stand out was the threat actor’s use of server-based polymorphism as a way to circumvent traditional signature-based antivirus (AV) detection and distribute the incremental payload by responding with two different versions of an intermediate RTF file.
In particular, PNWC document using a method known as remote template injection to fetch the RTF file in such a way that it caches the malicious code only if the request originates from a user in Pakistan’s IP address range.
“It is important to note that in both cases, only the file name ‘file.rtf’ and the file type are the same, but the content, file size, and file hash are different,” explained BlackBerry.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
“If the user is not in Pakistan’s IP range, the server returns an 8-byte RTF file (file.rtf) containing a single string: {\rtf1 }. However, if the user is in Pakistan’s IP range, the server then returns an RTF payload, whose size is varies between 406 KB – 414 KB.”
The revelations came shortly after Fortinet and Team Cymru disclosed details of attacks carried out by a Pakistan-based threat actor known as SideCopy against Indian defense and military targets.
“The latest SideWinder campaign targeting Turkey overlaps with the latest developments in geopolitics; in particular, in Turkey Pakistani support and further reaction from India,” BlackBerry said.
