SideWinder APT's post-exploitation framework analysis

Oct. 15, 2024, 1:56 p.m.

Tags
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
External References
Description

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed for espionage activities. The infection process involves remote template injection, RTF exploits, and malicious LNK files. SideWinder's infrastructure uses numerous domains with subdomains mimicking legitimate organizations. Targets include government, military, logistics, infrastructure, telecommunications, financial institutions, universities, and oil trading companies across multiple countries.

Date

Published: Oct. 15, 2024, 1:29 p.m.

Created: Oct. 15, 2024, 1:29 p.m.

Modified: Oct. 15, 2024, 1:56 p.m.

Indicators

e858d6d5e93f768e0cb9271a6e9a841086a14ff7abe3ee51d5f69f9a6c325028

be271f5e1c588e8f46c988bdae35cef90b0621c42e4195bec5e456d167097f0d

922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6

8d4b11acce641ec5b33b3fc90ec82a2fcdf2e243cb33558e16d7321488a2c70b

8780e03bbbe833f797509f9ca0b3fd37eb84b63299a88723c82d9518c56bd5a7

2a183e571fa26a7f74943c42d3997c6b18ed133ee4b749fb1770ffadd7241f1e

e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d

e1ae44d26899969d520789e23c777d6c07785da23454664ad12b2783946a617c

b565bd60e9182746de76feeebe7f85902e22ee3a22d5d55a278be7340923806e

a11fab6de2c5111833e9e4a6f69ce5dded17085a3d8ae21c7fcfa00d7e113c9b

9d02bf092fdcf44a51ae6e264ec3e3e57afbe79622c92a797e33fb62ed495cda

9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a

931aee9ba0e51804cb354a3a41830721e41a0fab6758aa19a43eaf1abe621b4d

89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e

613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a

55a0bbde3e32c559715cdc9c7d30d003b9e14725a6369d30edef20c1ed6dd994

1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323

170ccf1225154fa0cd92a14219f0b912479cc4095203646c38a31bb78baafe9f

15ce7d3c879975ca81777cf58f47409283e34ec1fe8e966fde608bc7eda16646

https://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572

https://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E

https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64

https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr

https://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil

https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64

https://mora.healththebest.com/8eee4f/mora/hta?q=0

https://dynamic.nactagovpk.org/735e3a_download?data=

https://dynamic.nactagovpk.org/ef1c4f_download

https://dynamic.nactagovpk.org/735e3a_download

https://dynamic.nactagovpk.org/0df7b2_download

https://dynamic.nactagovpk.org/27419a_download

http://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572

http://sa.direct888.net/015094_consulategz\

http://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E

http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64

http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr

http://dynamic.nactagovpk.org/ef1c4f_download

http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64

http://dynamic.nactagovpk.org/735e3a_download?data=

http://dynamic.nactagovpk.org/27419a_download

http://dynamic.nactagovpk.org/735e3a_download

http://dynamic.nactagovpk.org/0df7b2_download

Download all indicators here!

Attack Patterns

ModuleInstaller

StealerBot

Backdoor loader module

SideWinder

T1548

T1012

T1113

T1005

T1021

T1016

T1547

T1082

T1057

T1083

T1055

T1134

T1204

T1033

T1027

T1053

T1056

T1566

T1078

T1003

T1059

CVE-2017-11882

Additional Informations

Energy

Defense

Transportation

Education

Finance

Telecommunications

Government

Djibouti

Maldives

British Indian Ocean Territory

Afghanistan

Myanmar

Sri Lanka

Nepal

Bangladesh

India

Saudi Arabia

Jordan

China

United Arab Emirates

Malaysia

Indonesia

France

Morocco

Pakistan