2024-10-15 SideWinder APT's post-exploitation framework analysis

📃Title: SideWinder APT’s post-exploitation framework analysis
📅Date: 2024-10-15
🔗References:

• https://securelist.com/sidewinder-apt/114089/

Description

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called ‘StealerBot’ has been discovered, designed for espionage activities. The infection process involves remote template injection, RTF exploits, and malicious LNK files. SideWinder’s infrastructure uses numerous domains with subdomains mimicking legitimate organizations. Targets include government, military, logistics, infrastructure, telecommunications, financial institutions, universities, and oil trading companies across multiple countries.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Kaspersky
• target-information=“Afghanistan”
• target-information=“Bangladesh”
• target-information=“British Indian Ocean Territory”
• target-information=“China”
• target-information=“Djibouti”
• target-information=“France”
• target-information=“India”
• target-information=“Indonesia”
• target-information=“Jordan”
• target-information=“Malaysia”
• target-information=“Maldives”
• target-information=“Morocco”
• target-information=“Myanmar”
• target-information=“Nepal”
• target-information=“Pakistan”
• target-information=“Saudi Arabia”
• target-information=“Sri Lanka”
• target-information=“United Arab Emirates”
• threat-actor RAZOR-TIGER
• sector=“Academia - University”
• sector=“Finance”
• sector=“Government, Administration”
• sector=“Infrastructure”
• sector=“Logistic”
• sector=“Military”
• sector=“Oil”
• sector=“Telecoms”
• 04856c5c-870e-43c4-95a4-8e3dcb8b2582=“c62008f8-576a-4495-9e3f-5b1f1f398167”
• mitre-attack-pattern=[‘T1113’, ‘T1033’, ‘T1003’, ‘T1547’, ‘T1082’, ‘T1053’, ‘T1005’, ‘T1055’, ‘T1021’, ‘T1548’, ‘T1016’, ‘T1059’, ‘T1083’, ‘T1204’, ‘T1057’, ‘T1566’, ‘T1078’, ‘T1027’, ‘T1056’, ‘T1012’, ‘T1134’]

MISP event uuid: a013c3bb-1b42-4372-9a24-fd1efedf4004

Indicator of Compromise (IoCs)

type,value,comment
md5, 3a036a1846bfeceb615101b10c7c910e, 'StealerBot - Orchestrator No sample in VT\r\nLast check:02/05/2025'
md5, 47f51c7f31ab4a0d91a0f4c07b2f99d7, 'StealerBot - Keylogger No sample in VT\r\nLast check:02/05/2025'
md5, f3058ac120a2ae7807f36899e27784ea, 'StealerBot - Screenshot grabber No sample in VT\r\nLast check:02/05/2025'
md5, 0fbb71525d65f0196a9bfbffea285b18, 'StealerBot - File stealer No sample in VT\r\nLast check:02/05/2025'
md5, 1ed7ad166567c46f71dc703e55d31c7a, 'StealerBot - Live Console No sample in VT\r\nLast check:02/05/2025'
md5, 2f0e150e3d6dbb1624c727d1a641e754, 'StealerBot - RDP Credential Stealer No sample in VT\r\nLast check:02/05/2025'
md5, bf16760ee49742225fdb2a73c1bd83c7, 'StealerBot - RDP Credential Stealer – Injected library No sample in VT\r\nLast check:02/05/2025'
md5, b3650a88a50108873fc45ad3c249671a, 'StealerBot - Token Grabber No sample in VT\r\nLast check:02/05/2025'
md5, 4c40fcb2a12f171533fc070464db96d1, 'StealerBot - Credential Phisher – Injected library No sample in VT\r\nLast check:02/05/2025'
md5, eef9c0a9e364b4516a83a92592ffc831, 'StealerBot - UACBypass No sample in VT\r\nLast check:02/05/2025'
domain, 126-com.live, ''
domain, 163inc.com, ''
domain, afmat.tech, ''
domain, alit.live, ''
domain, aliyum.tech, ''
domain, aliyumm.tech, ''
domain, asyn.info, ''
domain, ausibedu.org, ''
domain, bol-south.org, ''
domain, cnsa-gov.org, ''
domain, colot.info, ''
domain, comptes.tech, ''
domain, condet.org, ''
domain, conft.live, ''
domain, dafpak.org, ''
domain, decoty.tech, ''
domain, defenec.net, ''
domain, defpak.org, ''
domain, detru.info, ''
domain, dgps-govpk.co, ''
domain, dgps-govpk.com, ''
domain, dinfed.co, ''
domain, dirctt88.co, ''
domain, dirctt88.net, ''
domain, direct888.net, ''
domain, direct88.co, ''
domain, directt888.com, ''
domain, donwload-file.com, ''
domain, donwloaded.com, ''
domain, donwloaded.net, ''
domain, dowmload.net, ''
domain, downld.net, ''
domain, download-file.net, ''
domain, downloadabledocx.com, ''
domain, dynat.tech, ''
domain, dytt88.org, ''
domain, e1ix.mov, ''
domain, e1x.tech, ''
domain, fia-gov.com, ''
domain, fia-gov.net, ''
domain, gov-govpk.info, ''
domain, govpk.info, ''
domain, govpk.net, ''
domain, grouit.tech, ''
domain, gtrec.info, ''
domain, healththebest.com, ''
domain, jmicc.xyz, ''
domain, kernet.info, ''
domain, kretic.info, ''
domain, lforvk.com, ''
domain, mfa-gov.info, ''
domain, mfa-gov.net, ''
domain, mfa-govt.net, ''
domain, mfacom.org, ''
domain, mfagov.org, ''
domain, mfas.pro, ''
domain, mitlec.site, ''
domain, mod-gov-pk.live, ''
domain, mofa.email, ''
domain, mofagovs.org, ''
domain, moittpk.net, ''
domain, moittpk.org, ''
domain, mshealthcheck.live, ''
domain, nactagovpk.org, ''
domain, navy-mil.co, ''
domain, newmofa.com, ''
domain, newoutlook.live, ''
domain, nopler.live, ''
domain, ntcpak.live, ''
domain, ntcpak.org, ''
domain, ntcpk.info, ''
domain, ntcpk.net, ''
domain, numpy.info, ''
domain, numzy.net, ''
domain, nventic.info, ''
domain, office-drive.live, ''
domain, pafgovt.com, ''
domain, paknavy-gov.org, ''
domain, paknavy-govpk.info, ''
domain, paknavy-govpk.net, ''
domain, pdfrdr-update.com, ''
domain, pdfrdr-update.info, ''
domain, pmd-office.com, ''
domain, pmd-office.live, ''
domain, pmd-office.org, ''
domain, ptcl-net.com, ''
domain, scrabt.tech, ''
domain, shipping-policy.info, ''
domain, sjfu-edu.co, ''
domain, support-update.info, ''
domain, tazze.co, ''
domain, tex-ideas.info, ''
domain, tni-mil.com, ''
domain, tsinghua-edu.tech, ''
domain, tumet.info, ''
domain, u1x.co, ''
domain, ujsen.net, ''
domain, update-govpk.co, ''
domain, updtesession.online, ''
domain, widge.info, ''
md5, a7aad43a572f44f8c008b9885cf936cf, '“Backdoor loader module” dropped as devobj.dll No sample in VT\r\nLast check:02/05/2025'
md5, d3136d7151f60ec41a370f4743c2983b, 'XML manifest No sample in VT\r\nLast check:02/05/2025'
md5, 56e7d6b5c61306096a5ba22ebbfb454e, '“Backdoor loader module” dropped as propsys.dll No sample in VT\r\nLast check:02/05/2025'
hostname, nextgen.paknavy-govpk.net, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, premier.moittpk.org, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, cabinet-division-pk.fia-gov.com, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, navy-lk.direct888.net, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, srilanka-navy.lforvk.com, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, portdjibouti.pmd-office.org, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, portdedjibouti.shipping-policy.info, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, mofa-gov-sa.direct888.net, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, mod-gov-bd.direct888.net, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, mmcert-org-mm.donwloaded.com, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
hostname, opmcm-gov-np.fia-gov.net, 'The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers'
md5, 7f357621ba88a2a52b8146492364b6e0, 'Library used to bypass UAC abusing IElevatedFactoryServer COM object No sample in VT\r\nLast check:02/05/2025'
md5, b0f0c29f4143605d5f958eba664cc295, 'Malicious library used to download additional malware No sample in VT\r\nLast check:02/05/2025'
md5, f492b2d5431985078b85c78661e20c09, 'Shellcode to run libraries in memory No sample in VT\r\nLast check:02/05/2025'
md5, ba2914b59c7ae08c346fc5a984dcc219, 'Program used for Slui UAC bypass technique No sample in VT\r\nLast check:02/05/2025'
url, https://dynamic.nactagovpk.org/735e3a_download, 'C2 URLs embedded in the code'
url, https://dynamic.nactagovpk.org/0df7b2_download, 'C2 URLs embedded in the code'
url, https://dynamic.nactagovpk.org/27419a_download, 'C2 URLs embedded in the code'
url, https://dynamic.nactagovpk.org/ef1c4f_download, 'C2 URLs embedded in the code'
md5, a107f27e7e9bac7c38e7778d661b78ac, 'C++ library used to download two malicious libraries and create persistence points No sample in VT\r\nLast check:02/05/2025'
url, https://mofa-gov-sa.direct888.net/015094_consulategz, 'The loaded JavaScript downloads and executes additional script code from a remote website'

Full IOCs available in Rectifyq's MISP```