SideWinder APT's post-exploitation framework analysis

Oct. 15, 2024, 1:56 p.m.

Description

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed for espionage activities. The infection process involves remote template injection, RTF exploits, and malicious LNK files. SideWinder's infrastructure uses numerous domains with subdomains mimicking legitimate organizations. Targets include government, military, logistics, infrastructure, telecommunications, financial institutions, universities, and oil trading companies across multiple countries.

External References

https://securelist.com/sidewinder-apt/114089/
https://otx.alienvault.com/pulse/670e6e494fe60ad092f1f174
Tags
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit

Date

  • Created: Oct. 15, 2024, 1:29 p.m.
  • Published: Oct. 15, 2024, 1:29 p.m.
  • Modified: Oct. 15, 2024, 1:56 p.m.

Indicators

  • e858d6d5e93f768e0cb9271a6e9a841086a14ff7abe3ee51d5f69f9a6c325028
  • be271f5e1c588e8f46c988bdae35cef90b0621c42e4195bec5e456d167097f0d
  • 922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6
  • 8d4b11acce641ec5b33b3fc90ec82a2fcdf2e243cb33558e16d7321488a2c70b
  • 8780e03bbbe833f797509f9ca0b3fd37eb84b63299a88723c82d9518c56bd5a7
  • 2a183e571fa26a7f74943c42d3997c6b18ed133ee4b749fb1770ffadd7241f1e
  • e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d
  • e1ae44d26899969d520789e23c777d6c07785da23454664ad12b2783946a617c
  • b565bd60e9182746de76feeebe7f85902e22ee3a22d5d55a278be7340923806e
  • a11fab6de2c5111833e9e4a6f69ce5dded17085a3d8ae21c7fcfa00d7e113c9b
  • 9d02bf092fdcf44a51ae6e264ec3e3e57afbe79622c92a797e33fb62ed495cda
  • 9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a
  • 931aee9ba0e51804cb354a3a41830721e41a0fab6758aa19a43eaf1abe621b4d
  • 89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e
  • 613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a
  • 55a0bbde3e32c559715cdc9c7d30d003b9e14725a6369d30edef20c1ed6dd994
  • 1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323
  • 170ccf1225154fa0cd92a14219f0b912479cc4095203646c38a31bb78baafe9f
  • 15ce7d3c879975ca81777cf58f47409283e34ec1fe8e966fde608bc7eda16646
  • https://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572
  • https://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E
  • https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64
  • https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr
  • https://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil
  • https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64
  • https://mora.healththebest.com/8eee4f/mora/hta?q=0
  • https://dynamic.nactagovpk.org/735e3a_download?data=
  • https://dynamic.nactagovpk.org/ef1c4f_download
  • https://dynamic.nactagovpk.org/735e3a_download
  • https://dynamic.nactagovpk.org/0df7b2_download
  • https://dynamic.nactagovpk.org/27419a_download
  • http://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572
  • http://sa.direct888.net/015094_consulategz\
  • http://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E
  • http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64
  • http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr
  • http://dynamic.nactagovpk.org/ef1c4f_download
  • http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64
  • http://dynamic.nactagovpk.org/735e3a_download?data=
  • http://dynamic.nactagovpk.org/27419a_download
  • http://dynamic.nactagovpk.org/735e3a_download
  • http://dynamic.nactagovpk.org/0df7b2_download
  • split.tyoin.biz
  • sa.direct888.net
  • premier.moittpk.org
  • portdjibouti.pmd-office.org
  • portdedjibouti.shipping-policy.info
  • nextgen.paknavy-govpk.net
  • mora.healththebest.com
  • mod-gov-bd.direct888.net
  • mmcert-org-mm.donwloaded.com
  • dynamic.nactagovpk.org
  • widge.info
  • updtesession.online
  • update-govpk.co
  • ujsen.net
  • tumet.info
  • tsinghua-edu.tech
  • tex-ideas.info
  • tazze.co
  • support-update.info
  • sjfu-edu.co
  • shipping-policy.info
  • scrabt.tech
  • ptcl-net.com
  • portdedjibouti.com
  • pmd-office.org
  • pmd-office.live
  • pmd-office.com
  • pdfrdr-update.info
  • pdfrdr-update.com
  • paknavy-govpk.info
  • pafgovt.com
  • office-drive.live
  • nventic.info
  • numzy.net
  • ntcpk.net
  • ntcpak.org
  • ntcpak.live
  • nopler.live
  • newmofa.com
  • nasc.org.np
  • navy-mil.co
  • nactagovpk.org
  • mshealthcheck.live
  • moittpk.net
  • mofa.email
  • mofagovs.org
  • mod-gov-pk.live
  • mitlec.site
  • mmcert.org.mm
  • mfas.pro
  • mfagov.org
  • mfa-gov.info
  • lforvk.com
  • mfa-gov.net
  • kretic.info
  • kernet.info
  • jmicc.xyz
  • healththebest.com
  • grouit.tech
  • gtrec.info
  • govpk.net
  • gov-govpk.info
  • fia-gov.com
  • e1ix.mov
  • dytt88.org
  • downloadabledocx.com
  • dowmload.net
  • donwloaded.net
  • donwload-file.com
  • donwloaded.com
  • directt888.com
  • direct888.net
  • direct88.co
  • dirctt88.net
  • dinfed.co
  • dirctt88.co
  • dgps-govpk.com
  • dgps-govpk.co
  • detru.info
  • defpak.org
  • decoty.tech
  • condet.org
  • conft.live
  • colot.info
  • cnsa-gov.org
  • bol-south.org
  • asyn.info
  • aliyum.tech
  • alit.live
  • 163inc.com
  • 126-com.live
  • opmcm-gov-np.fia-gov.net
  • navy-lk.direct888.net
  • mofa-gov-sa.direct888.net
  • cabinet-division-pk.fia-gov.com
  • tni-mil.com
  • paknavy-govpk.net
  • paknavy-gov.org
  • numpy.info
  • ntcpk.info
  • newoutlook.live
  • moittpk.org
  • mfacom.org
  • mfa-govt.net
  • govpk.info
  • fia-gov.net
  • dynat.tech
  • download-file.net
  • defenec.net
  • dafpak.org
  • comptes.tech
  • ausibedu.org
  • aliyumm.tech
  • afmat.tech
  • downld.net
  • srilanka-navy.lforvk.com
Download all indicators here!

Attack Patterns

  • ModuleInstaller
  • StealerBot
  • Backdoor loader module
  • SideWinder
  • T1548
  • T1012
  • T1113
  • T1005
  • T1021
  • T1016
  • T1547
  • T1082
  • T1057
  • T1083
  • T1055
  • T1134
  • T1204
  • T1033
  • T1027
  • T1053
  • T1056
  • T1566
  • T1078
  • T1003
  • T1059

Additional Informations

  • Energy
  • Defense
  • Transportation
  • Education
  • Finance
  • Telecommunications
  • Government
  • Djibouti
  • Maldives
  • British Indian Ocean Territory
  • Afghanistan
  • Myanmar
  • Sri Lanka
  • Nepal
  • Bangladesh
  • India
  • Saudi Arabia
  • Jordan
  • China
  • United Arab Emirates
  • Malaysia
  • Indonesia
  • France
  • Morocco
  • Pakistan

Linked vulnerabilities

CVE-2017-11882

None
Published: