The South Asian APT organization SideWinder has been on a tear for the past two years gone, launching nearly 1,000 raids and deploying increasingly sophisticated assault techniques.
Earlier this week, Noushin Shaba, a senior security researcher at Kaspersky shared her findings at the Black Hat Asia conference regarding SideWinders’ attacking methodologies. The APT group primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries.
SideWinder has been active since at least 2012 and primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries. In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organizations, Aviation, IT industry, and Legal firms. Some of their newly registered domains and spear-phishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions.
SideWinder has become one of the planet's most prolific hacking groups by expanding the geography of its targets to other countries and regions. However, the reason behind its expansion remains unknown.
Last year, the group deployed new obfuscation techniques for the JavaScript it drops into .RTF files, .LNK files, and Open Office documents. Kaspersky has observed unique encryption keys deployed across over 1,000 malware samples sourced from the group.
Threat actors even ran two versions of its obfuscation techniques over several months, and appear to have shifted from an older and less stealthy version to its current malware.
SideWinder also exchanges domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well.
In January 2020, Trend Micro researchers revealed that they had unearthed SideWinder exploiting a zero-day local privilege-escalation vulnerability (CVE-2019-2215) that affected hundreds of millions of Android users when it was first published.
“I think what really makes them stand out among other APTs [advanced persistent threat] actors are the big toolkit they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure. I have not seen 1,000 attacks from a single APT from another group until further,” Shaba stated.
