Trellix ARC has uncovered a sophisticated espionage campaign by the SideWinder APT group targeting South Asian diplomatic and government entities through a novel PDF and ClickOnce infection chain. This campaign demonstrates an evolution in SideWinder’s tactics, utilizing region-specific geofenced payloads and legitimate digital signatures to evade detection. #SideWinder #CVE-2017-0199
Keypoints
- SideWinder APT is conducting targeted espionage operations across South Asia, focusing on diplomatic and government institutions.
- The campaign uses fake PDFs with “Update Adobe Reader” buttons that download malicious ClickOnce applications.
- Attackers employ DLL side-loading and digital certificates from MagTek Inc. to maintain legitimacy and avoid detection.
- The malware, including ModuleInstaller and StealerBot, exfiltrates sensitive data and employs geofencing to restrict payload delivery to South Asia only.
- Trellix attributes the campaign to SideWinder, highlighting its evolving tactics and infrastructure reuse to hinder research efforts.