Researchers have uncovered a new campaign by SideWinder, a nation-state threat actor believed to originate from India that has been active since 2012.
Analysis of phishing emails suggests the campaign is targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The attack’s first stage implies that the group is targeting Pakistan, Egypt and Sri Lanka, while the second stage indicates additional focus on Bangladesh, Myanmar, Nepal and the Maldives.
Researchers believe the campaign’s goal is espionage and intelligence gathering, consistent with SideWinder’s previous activities.
SideWinder Tactics, Techniques, and Procedures (TTPs)
Researchers from BlackBerry Threat Research and Intelligence team noted that the SideWinder group has upgraded its infrastructure and tactics towards sophisticated email spear-phishing, document exploitation, and DLL side-loading techniques, designed to avoid detection and deliver targeted implants. The attack chain begins with a phishing email containing a malicious document with highly specific logos and themes familiar to targets, often related to specific port infrastructure.
One example mimicked a letter from the Port of Alexandria, while another impersonated the Red Sea Port Authority. The documents use emotionally charged language about topics like employee termination, alleged sexual harassment incidents or salary cuts to compel victims to open attachments immediately.
The document analyzed by the researchers uses a remote template injection technique exploiting the CVE-2017-0199 vulnerability to gain initial access to the target’s system. The CVE-2017-0199 vulnerability, which was patched in 2017, is often exploited by threat actors in phishing campaigns.
Next, a rich text format (RTF) file is used to download an additional malicious document containing shellcode to exploit the CVE-2017-11882 vulnerability upon access. The shellcode also checks the victim’s system to see if it is a real environment or a virtual machine, ensuring that the attack chain remains undetected.
If the script passes the environment checks, additional JavaScript code is loaded from a remote server for execution.
SideWinder Obfuscation Techniques
The second stage of the attack chain utilizes an old Tor node, which is used to mask online traffic and provide anonymous web browsing. However, the delivery infrastructure for the second stage can still be identified via an 8-byte file, an RTF document returned by the C2 when outside of the targeted geographical area.
The C2 also uses an old Tor node, which is used to mask online traffic and provide anonymous web browsing. However, researchers identified multiple domains with similar naming structures ready for use in the campaign.
Countermeasures and Conclusion
While the researchers were not able to obtain live samples of the JavaScript code delivered in the final stage of the campaign, they speculate that the goal of the operation is espionage and intelligence gathering based upon SideWinder’s previous campaigns.
The researchers emphasized the importance of patching systems, as SideWinder continues to exploit older vulnerabilities that have fixes available. They have also shared the following additional recommendations:
- Organizations that rely on Microsoft Office should take special precaution to keep all systems updated due to the exploit of CVE-2017-0199 and CVE-2017-11882 in the campaign.
- Employees should be trained to protect against phishing campaigns.
- Organizations should implement advanced email filtering solutions to protect against malicious phishing campaigns.
- Organizations should invest in advanced real-time threat detection and response solutions.
The research team continues to monitor the threat actor’s operations, such as its tooling and use of malicious files, for additional insight.