Sidewinder Advanced Persistent Threat (APT) Shifts to Targeting of Nuclear, Maritime Orgs
Arthur T Knackerbracket has processed the following story:
Kaspersky described Sidewinder as a "highly prolific" advanced persistent threat (APT) group whose previous prey were mostly government and military instituions in China, Pakistan, Sri Lanka, and parts of Africa.
Its recent wider expansion into Africa has caught researchers' attention. Sidewinder ramped up attacks in Djibouti in 2024 and has since focused its attention on Egypt, representing a shift in tactics.
Part of that shift is the increase in attacks against nuclear power plants and other nuclear energy organizations, particularly in South Asia.
Sidewinder, which launched in 2012 and has suspected but not formally confirmed roots in India, hasn't changed its attack methodology much, still relying on old remote code execution (RCE) bugs that are exploited by malicious documents delivered in spear-phishing campaigns.
"The attacker sends spear-phishing emails with a DOCX file attached," said Kaspersky researchers Giampolo Dedola and Vasily Berdinkov. "The document uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker.
"The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named Backdoor Loader. This acts as a loader for StealerBot, a private post-exploitation toolkit used exclusively by Sidewinder."
The StealerBot implant was first identified in 2024, but SideWinder has continued to use and refine it in ongoing campaigns. Kaspersky noted that the implant has remained unchanged since its discovery, but the group appears to be developing new iterations of its loader regularly.
The fake documents attached to spear-phishing emails are carefully crafted and appear legitimate upon a cursory inspection. They are also tailored for each target.
[...] The group's main tactics - phishing and an eight-year-old vulnerability - don't immediately bear the hallmarks of a sophisticated bunch of attackers. Kaspersky made the same observation in its previous report on the group but suspects those behind the attacks are highly skilled.
"Sidewinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government. We know [of] the group's software development capabilities, which became evident when we observed how quickly they could deliver updated versions of their tools to evade detection, often within hours."
The fact that it uses well-maintained and effective in-memory malware such as StealerBot also suggests that Sidewinder's various capabilities make it "a highly advanced and dangerous adversary," as Kaspersky puts it.
Read more of this story at SoylentNews.