A bogus VPN program for Android smartphones was uploaded on the Google Play Store, along with a proprietary tool that screens users for improved targeting, according to phishing efforts linked to an advanced threat actor known as SideWinder.
SideWinder is an APT organization that has been operating since at least 2012 and is thought to be led by an Indian actor with a high level of expertise.
Over 1,000 cyber attacks were ascribed to this gang in the last two years, according to Kaspersky, who praised its persistence and clever obfuscation tactics. Organizations in Pakistan, China, Nepal, and Afghanistan are the principal targets.
The threat actor uses spear-phishing emails to spread malicious ZIP bundles containing RTF or LNK files that install an HTML Application (HTA) payload from a remote server.
The adversary uses a pretty big infrastructure that includes over 92 IP addresses, mostly for phishing assaults, and hundreds of domains and subdomains that serve as command and control servers.
SideWinder, also known by the names, RattleSnake, Razor Tiger, T-APT-04, APT-C-17, and Hardcore Nationalist, was responsible for a recent phishing campaign that targeted both public and commercial sector institutions in Pakistan.
A phishing document tempting victims with a document advocating "a formal debate of the impact of the US withdrawal from Afghanistan on maritime security" was discovered earlier this year by researchers at cybersecurity firm Group-IB.
While the exact purpose of the bogus VPN program is unknown, this isn't the first time SideWinder has gotten around Google Play Store restrictions by publishing malicious apps disguised as utility software.
Trend Micro reported in January 2020 that three malicious applications masquerading as photography and file manager utilities used a security weakness in Android (CVE-2019-2215) to acquire root access and abuse accessibility service rights to gather sensitive data.
