The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in targeted attacks against government organizations in Pakistan as part of a campaign that began in late November 2022.
“In this campaign, the SideWinder Advanced Persistent Threat (APT) group used a server-based polymorphism technique to deliver the next-stage payload,” said BlackBerry’s research and intelligence team in a technical report published on Monday.
Another campaign discovered by the Canadian cybersecurity firm in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor’s collection priorities.
SideWinder has been on the radar since at least 2012 and is primarily known to target various Southeast Asian entities located in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.
Suspected to be an Indian state-sponsored group, SideWinder is also tracked under the aliases APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger and T-APT4.
Typical actor-mounted attack sequences involve using carefully crafted email decoys and DLL sideloading techniques to fly under the radar and deploy malware capable of granting actors remote access to target systems.
Over the past year, SideWinder has been linked to a cyberattack targeting the Pakistan Navy War College (PNWC), as well as an Android malware campaign that took advantage of rogue phone-scrubbing VPN apps and VPN apps uploaded to Google Play Store to collect sensitive information.
The latest chain of infections documented by BlackBerry reflects findings by Chinese cybersecurity firm QiAnXin in December 2022 that detailed the use of PNWC documents to lure a lightweight .NET-based backdoor (App.dll) that is capable of retrieving and executing next-stage malware from a remote server.
What also makes the campaign stand out is the threat actor’s use of server-based polymorphism as a way to potentially bypass traditional signature-based antivirus (AV) detection and distribute payloads additional by responding with two different versions of an intermediate RTF file.
Specifically, the PNWC document uses a method known as remote template injection to obtain the RTF file so that it only contains the malicious code if the request comes from a user in the IP address range of Pakistan.
“It is important to note that in both cases, only the file name ‘file.rtf’ and the file type are the same; however, the content, file size and file hash are different,” he explained BlackBerry.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“If the user is not in the Pakistani IP range, the server returns an 8-byte RTF file (file.rtf) containing a single string: rtf1 . However, if the user is within Pakistani IP range, the server then returns the RTF payload, which varies between 406 KB and 414 KB in size.”
The revelation comes shortly after Fortinet and Team Cymru revealed details of attacks perpetrated by a Pakistan-based threat actor known as SideCopy against Indian defense and military targets.
“SideWinder’s latest campaign targeting Turkey overlaps with more recent developments in geopolitics; specifically, Turkey’s support for Pakistan and the resulting backlash from India,” BlackBerry said.
Ikaroa, a full stack tech company, is proud to report on recent research findings involving the SideWinder server-based polymorphism technique. A team of researchers conducted a comprehensive investigation into how servers can be used to create varieties of malware with mutations.
The findings of the research point to the potential of this technology to allow malicious actors to accurately and quickly target systems, and to evade traditional security measures. This type of polymorphic attack is capable of inflicting significant damage to an organization’s system.
The team proposed a framework for SideWinder polymorphism, which integrates multiple components, such as the server itself, the agent, and the payload. The server acts as a hub that allows for the mutation of the malware, while the agent and payload interact with each other to deliver the attack.
The research paper explains that SideWinder polymorphism is possible due to the ability to rapidly generate multiple malware variants. This allows attackers to target vulnerable systems more efficiently, by using a combination of mutated malware.
The team noted that SideWinder polymorphism can be deployed in many ways, including through malicious emails and network reconnaissance. Furthermore, they also found that the technique can be used to evade anti-virus and intrusion detection measures.
The implications of this research are far-reaching, as it could lead to more sophisticated malware than ever before. This is why Ikaroa is taking a close look at the potential of this technique, to determine how we can best protect our customers and their systems.
We at Ikaroa remain committed to ensuring that our customers and their systems are safe and secure, and this is why we are strongly considering the implications of SideWinder polymorphism. We will continue to evaluate the threats posed by this type of attack and work to ensure that our customers remain safe.