Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Multiphase Polymorphic Attack. Show all posts

SideWinder APT Group: Victims in Pakistan and Turkey Stricken with Multiphase Polymorphic Attack


Government authorities and individuals in Turkey are apparently been targeted by India’s well-known SideWinder APT group, which is using polymorphism techniques, enabling bypass standard signature-based antivirus (AV) detection and deliver a next-stage payload.

In an article published on their blog on May 8, the researchers from the BlackBerry Threat Research and Intelligence team described how attacks make use of documents with information catered to their interests that, when opened, leverages a remote template injection issue to deliver malicious payloads.

The campaign's first phase, identified last November, targets Pakistani targets with a server-side polymorphic attacks, while a later phase, discovered earlier this year, employs phishing techniques to spread malicious lure documents to victims. 

While, rather than using malicious macron with documents to disseminate malware, which is frequently the case when documents are used as lures, the APT uses the CVE-2017-0199 vulnerability to deliver the payloads.

How Polymorphism Deceits Defenders 

Attackers have been utilizing the Server-side polymorphism as a way to evade detection by AV tools. The researchers noted that it accomplishes this by utilizing malicious code that modifies its appearance through encryption and obfuscation, ensuring that no two samples seem the same and are therefore difficult to analyze.

“The attack can fool defenders because it serves the victim with a new sample each time a link is clicked,” says Dmitry Bestuzhev, senior director of cyber-threat intelligence at BlackBerry. “In this case, each new download has a new hash, which “effectively breaks hash-based detections used by security operations centers (SOCs) and some endpoint scanners,” he says.

“Since there’s a new hash each time, there is no information on a given sample on public multi scanners like VirusTotal unless each new sample is uploaded over and over for further analysis[…]So it makes life harder for the victims because of the lack of information on public sandboxes and other-like security services,” Bestuzhev continues. 

The Latest Threat Campaigns 

Blackberry researchers evaluated the campaign's numerous documents, which were located on an attacker-controlled server and distributed to victims. Researchers first came across one with the subject line "GUIDELINES FOR BEACON JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)," and in early December identified another that claimed to be a letter of offer and acceptance "for the purchase of defense articles, defense services, or both."

In both of these cases, “The name of the file ‘file.rtf’ and the file type are the same; however, the contents, file size and the file hash are different[…]This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection),” they added.

In case the user does not fall under the Pakistani IP range, 8 byte RTF file that contains a single string. In contrary, if the user is within the Pakistani IP range, the server then returns the RTF payload, varying between 406KB to 414KB in size.

Attacks Expanding to Turkey and Beyond 

Early in March, the researchers found a new malicious document connected to the prior attack that had been transmitted via phishing emails. This discovery suggested that Turkey had become a new target country for SideWinder. The servers were put up so that a victim in Turkey could get a second-stage payload, according to the researchers, who discovered them in mid-March.

While Southeast Asian regions like Pakistan and Sri Lanka have always been prime targets of SideWinder, them targeting victims in Turkey makes sense, considering their geopolitical conditions where the Turkish Government has been backing Pakistan, sparking criticism from India, according to the researchers.

While polymorphic attacks overall can be difficult to defend against, detection and prevention strategies based on behavior and hashes can be effectively used against them, Bestuzhev notes.

“The key for organizations to mitigate these attacks”, Bestuzhev adds, “is not to focus on volatile indicators of compromise but on meaningful tactics, techniques, and procedures (TTPs) and behaviors in the system or code blocks covered by machine learning technologies.”