Today > 2 Critical | 3 High | 25 Medium vulnerabilities   -   You can now download lists of IOCs here!

SideWinder APT's post-exploitation framework analysis

Oct. 15, 2024, 1:56 p.m.

Tags
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
External References
Description

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed for espionage activities. The infection process involves remote template injection, RTF exploits, and malicious LNK files. SideWinder's infrastructure uses numerous domains with subdomains mimicking legitimate organizations. Targets include government, military, logistics, infrastructure, telecommunications, financial institutions, universities, and oil trading companies across multiple countries.

Date

Published: Oct. 15, 2024, 1:29 p.m.

Created: Oct. 15, 2024, 1:29 p.m.

Modified: Oct. 15, 2024, 1:56 p.m.

Indicators

e858d6d5e93f768e0cb9271a6e9a841086a14ff7abe3ee51d5f69f9a6c325028

be271f5e1c588e8f46c988bdae35cef90b0621c42e4195bec5e456d167097f0d

922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6

8d4b11acce641ec5b33b3fc90ec82a2fcdf2e243cb33558e16d7321488a2c70b

8780e03bbbe833f797509f9ca0b3fd37eb84b63299a88723c82d9518c56bd5a7

2a183e571fa26a7f74943c42d3997c6b18ed133ee4b749fb1770ffadd7241f1e

e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d

e1ae44d26899969d520789e23c777d6c07785da23454664ad12b2783946a617c

b565bd60e9182746de76feeebe7f85902e22ee3a22d5d55a278be7340923806e

a11fab6de2c5111833e9e4a6f69ce5dded17085a3d8ae21c7fcfa00d7e113c9b

9d02bf092fdcf44a51ae6e264ec3e3e57afbe79622c92a797e33fb62ed495cda

9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a

931aee9ba0e51804cb354a3a41830721e41a0fab6758aa19a43eaf1abe621b4d

89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e

613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a

55a0bbde3e32c559715cdc9c7d30d003b9e14725a6369d30edef20c1ed6dd994

1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323

170ccf1225154fa0cd92a14219f0b912479cc4095203646c38a31bb78baafe9f

15ce7d3c879975ca81777cf58f47409283e34ec1fe8e966fde608bc7eda16646

https://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572

https://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E

https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64

https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr

https://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil

https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64

https://mora.healththebest.com/8eee4f/mora/hta?q=0

https://dynamic.nactagovpk.org/735e3a_download?data=

https://dynamic.nactagovpk.org/ef1c4f_download

https://dynamic.nactagovpk.org/735e3a_download

https://dynamic.nactagovpk.org/0df7b2_download

https://dynamic.nactagovpk.org/27419a_download

http://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572

http://sa.direct888.net/015094_consulategz\

http://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E

http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64

http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr

http://dynamic.nactagovpk.org/ef1c4f_download

http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64

http://dynamic.nactagovpk.org/735e3a_download?data=

http://dynamic.nactagovpk.org/27419a_download

http://dynamic.nactagovpk.org/735e3a_download

http://dynamic.nactagovpk.org/0df7b2_download

split.tyoin.biz

sa.direct888.net

premier.moittpk.org

portdjibouti.pmd-office.org

portdedjibouti.shipping-policy.info

nextgen.paknavy-govpk.net

mora.healththebest.com

mod-gov-bd.direct888.net

mmcert-org-mm.donwloaded.com

dynamic.nactagovpk.org

widge.info

updtesession.online

update-govpk.co

ujsen.net

tumet.info

tsinghua-edu.tech

tex-ideas.info

tazze.co

support-update.info

sjfu-edu.co

shipping-policy.info

scrabt.tech

ptcl-net.com

portdedjibouti.com

pmd-office.org

pmd-office.live

pmd-office.com

pdfrdr-update.info

pdfrdr-update.com

paknavy-govpk.info

pafgovt.com

office-drive.live

nventic.info

numzy.net

ntcpk.net

ntcpak.org

ntcpak.live

nopler.live

newmofa.com

nasc.org.np

navy-mil.co

nactagovpk.org

mshealthcheck.live

moittpk.net

mofa.email

mofagovs.org

mod-gov-pk.live

mitlec.site

mmcert.org.mm

mfas.pro

mfagov.org

mfa-gov.info

lforvk.com

mfa-gov.net

kretic.info

kernet.info

jmicc.xyz

healththebest.com

grouit.tech

gtrec.info

govpk.net

gov-govpk.info

fia-gov.com

e1ix.mov

dytt88.org

downloadabledocx.com

dowmload.net

donwloaded.net

donwload-file.com

donwloaded.com

directt888.com

direct888.net

direct88.co

dirctt88.net

dinfed.co

dirctt88.co

dgps-govpk.com

dgps-govpk.co

detru.info

defpak.org

decoty.tech

condet.org

conft.live

colot.info

cnsa-gov.org

bol-south.org

asyn.info

aliyum.tech

alit.live

163inc.com

126-com.live

opmcm-gov-np.fia-gov.net

navy-lk.direct888.net

mofa-gov-sa.direct888.net

cabinet-division-pk.fia-gov.com

tni-mil.com

paknavy-govpk.net

paknavy-gov.org

numpy.info

ntcpk.info

newoutlook.live

moittpk.org

mfacom.org

mfa-govt.net

govpk.info

fia-gov.net

dynat.tech

download-file.net

defenec.net

dafpak.org

comptes.tech

ausibedu.org

aliyumm.tech

afmat.tech

downld.net

srilanka-navy.lforvk.com

Download all indicators here!

Attack Patterns

ModuleInstaller

StealerBot

Backdoor loader module

SideWinder

T1548

T1012

T1113

T1005

T1021

T1016

T1547

T1082

T1057

T1083

T1055

T1134

T1204

T1033

T1027

T1053

T1056

T1566

T1078

T1003

T1059

CVE-2017-11882

Additional Informations

Energy

Defense

Transportation

Education

Finance

Telecommunications

Government

Djibouti

Maldives

British Indian Ocean Territory

Afghanistan

Myanmar

Sri Lanka

Nepal

Bangladesh

India

Saudi Arabia

Jordan

China

United Arab Emirates

Malaysia

Indonesia

France

Morocco

Pakistan