Threat Research

Rattling the cage of a Sidewinder

Securonix

An in-depth look at the Sidewinder threat actor reveals a sprawling infrastructure of domains and document-based lures used to target government and defense entities across South Asia. The analysis highlights the actor’s use of attachment-based campaigns and a pattern described as 404 scanning to distribute payloads and test/evade defenses. Hashtags: #Sidewinder #Specific404Scanning #PakistanNavy #SriLankaNavy

Keypoints

  • The article catalogs a large set of attacker-controlled or compromised domains used to host documents and potential payloads associated with Sidewinder.
  • Attachment-based lures rely on Word documents (e.g., Product.docx, Note Verbale.docx, DMP (Navy) Visit.docx) to entice targets.
  • Targets include government and defense-related entities across South Asia, evidenced by domain patterns linked to MOFA, navy, and other official-sounding names.
  • Artifacts such as Leakage of Sensitive Data on Dark Web.docx suggest data exfiltration or leakage themes within the campaigns.
  • Campaigns feature a wide variety of document types (docx, pdf, rt f) and numerous signatures in the metadata, implying layered document-based delivery.
  • The article provides an extensive list of IOCs (domains, file names, and MD5 hashes) to aid detection and response.
  • A recurring pattern described as “Specific 404 scanning” appears across multiple domains, indicating probing or testing for live targets.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The actor uses Word document attachments such as ‘Note Verbale.docx’ and ‘DMP (Navy) Visit.docx’ to lure recipients. “Note Verbale.docx” and “DMP (Navy) Visit.docx” are listed in the artifacts.
  • [T1071.001] Web Protocols – The operation relies on a network of domains to host documents and payloads, effectively using web services for delivery and potential C2. “a web of compromised domains” used to host and distribute documents.
  • [T1041] Exfiltration – The presence of a file named “Leakage of Sensitive Data on Dark Web.docx” suggests data exfiltration or leakage activity via external channels. “Leakage of Sensitive Data on Dark Web.docx”.

Indicators of Compromise

  • [Domain] context – cstc-spares-vip-163.dowmload[.]net, mofagov-pk.donwloaded[.]com, mtss.bol-south[.]org, and 2 more domains
  • [File name] context – Product.docx, Note Verbale.docx, and 2 more file names
  • [MD5 hash] context – 8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad, e1ae44d26899969d520789e23c777d6c07785da23454664ad12b2783946a617c, and 2 more hashes

Read more: https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder