A notorious nation-state threat actor, known as SideWinder, is believed to be behind a sophisticated new cyber espionage operation targeting ports and maritime services in the Indian Ocean and Mediterranean Sea.
The BlackBerry Analysis and Intelligence Workforce, tasked with analyzing a spear-phishing marketing campaign, identified target nations as Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
APT-C-17, a malware family dubbed Child Elephant, Hardcore Nationalist, Rattlesnake, or Razor Tiger, has been linked to Indian affiliation. Since its inception in 2012, this malware operation has primarily leveraged spear-phishing tactics as a means of delivering malicious payloads, ultimately triggering a chain reaction of attacks.
The Canadian cybersecurity firm highlighted that SideWinder employs a trifecta of tactics: email-based spear phishing, document exploitation, and DLL side-loading techniques to evade detection and deploy targeted implants, as stated in its recent assessment.
New phishing attacks utilize tactics tied to sexual harassment, job terminations, and wage reductions to psychologically manipulate targets, ultimately prompting them to open maliciously crafted Microsoft Word documents that exploit vulnerabilities in unsuspecting users’ emotional states.
As soon as the decoy file is opened, it exploits a known vulnerability to detect interaction with a malicious site posing as Pakistan’s Directorate General of Ports and Transport (“studies.dgps-govtpk[.]com”) to obtain an RTF file.
The RTF document, in disguise, downloads a file that exploits an existing, years-old security vulnerability within Microsoft Office Equation Editor, ultimately enabling the execution of shellcode responsible for injecting malicious JavaScript code. However, prior to executing this payload, the compromised system must first be verified as authentic and deemed relevant by the threat actor.
While the exact payload of the JavaScript malware remains unknown, its primary intent appears to be intelligence gathering, consistent with previous campaigns conducted by SideWinder.
“BlackBerry reports that the notorious SideWinder threat actor is actively upgrading its infrastructure to expand its malicious activities into fresh territories.” As the pace of its community development and logistics capabilities accelerates, SideWinder is poised to launch its attacks in the near term.
