SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

July 30, 2024, 4:29 p.m.

Description

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and maritime facilities in the Indian Ocean and Mediterranean Sea regions through espionage and intelligence gathering activities. The attack chain involves exploiting vulnerabilities in Microsoft Office and downloading malicious JavaScript payloads from the group's infrastructure. SideWinder continuously evolves its tactics, making it an ongoing threat.

External References

https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea
https://otx.alienvault.com/pulse/66a9093cc37e48ed693820e8
Tags
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime

Date

  • Created: July 30, 2024, 3:39 p.m.
  • Published: July 30, 2024, 3:39 p.m.
  • Modified: July 30, 2024, 4:29 p.m.

Indicators

  • ceb93ee3093dbf1a49918ede81055018d9c0f0945a97f904a16951010cfbce61
  • b72ac58d599e6e1080251b1ac45a521b33c08d7d129828a4e82a7095e9f93e53
  • 9572312a12605c6a6ea6447af6fc063f4196aeba523ed38ce2c5ff51c33d4831
  • 512a83f1a6c404cb0ba679c7a2f3aa782bb5e17840d31a034de233f7500a6cb9
  • 142c6a4c7e9efbf6f3176df3ff218449bb4f7b2a69d60060e6339f1c3cc95d93
  • 006e5fe0c01712391c54319a9d1579d7208f3cfa9f49fe56a14d93f0d0e8928b
  • e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d
  • 9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a
  • 613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a
  • 91.223.208.175
  • 89.150.40.43
  • 5.255.113.149
  • 5.230.35.199
  • 159.69.189.137
  • https://reports.dgps-govtpk.com/63645534-case/doc.rtf
  • https://salary-cutting.session-out.com/37656199_notice/doc.rtf
  • https://mora.pdfadobe.com/d8149d32/mora/doc.rtf
  • https://moitt-gov-pk.fia-gov.net/720705null
  • https://moitt-gov-pk.fia-gov.net/643705null
  • https://mofa-gov-sa.direct888.net/015094_consulategz
  • https://mailarmylk.mods.email/Ltr86-ef2265ef
  • https://heatwave.paknavy.store/pn/510426/doc.rtf
  • http://investigation04.session-out.com/fbd901_harassment/doc.rtf
  • salary-cutting.session-out.com
  • reports.dgps-govtpk.com
  • paknavy.dgps-govtpk.com
  • mora.pdfadobe.com
  • mailnepalarmymilnp.mods.email
  • mailnepalarmymil.mods.email
  • mailmofagovnp.mods.email
  • mailmofagovmv.mods.emailmailmofagovnp.mods.email
  • mailmofagovmv.mods.email
  • mailmofagovmm.mods.email
  • mailforegngovmv.mods.email
  • mailarmymilbd.mods.email
  • mailarmylk.mods.email
  • investigation04.session-out.com
  • mailafdgovbd.mods.email
  • heatwave.paknavy.store
  • gta5.mods.email
  • ftp.mods.email
  • session-out.com
  • paknavy-govpk.com
  • dgps-govtpk.com
  • paknavy.store
  • moitt-gov-pk.fia-gov.net
  • mofa-gov-sa.direct888.net
Download all indicators here!

Attack Patterns

  • SideWinder

Additional Informations

  • Maldives
  • Egypt
  • Myanmar
  • Sri Lanka
  • Nepal
  • Bangladesh
  • Pakistan

Linked vulnerabilities

CVE-2017-0199

None
Published:

CVE-2017-11882

None
Published: