Keypoints
- SideWinder has operated since 2012 and recently expanded operations to the Middle East and Africa targeting government and military entities.
- Initial access is obtained via targeted spear‑phishing with OOXML documents or ZIP archives containing malicious LNK files that invoke mshta.exe or remote templates.
- Remote template injection is used to download RTF files crafted to exploit CVE-2017-11882; the RTF shellcode decodes and runs JavaScript via RunHTMLApplication.
- A multi‑stage chain loads a JavaScript loader that drops App.dll (.NET downloader), which fetches ModuleInstaller, leading to a sideloaded Backdoor loader and in‑memory StealerBot implant.
- StealerBot is a modular .NET orchestrator with plugins for keylogging, screenshot capture, file theft, browser token extraction, RDP credential theft (process injection), UAC bypass and reverse shells.
- Persistence and execution techniques include Run registry keys, scheduled tasks, DLL sideloading of signed binaries, Windows service creation and UAC bypass routines tailored to installed AV.
- Infrastructure uses numerous spoofed domains and short‑lived VPS hosts for C2, with multiple encoded/obfuscated C2 URLs and embedded configuration values controlling routines and telemetry.
MITRE Techniques
- [T1566] Phishing – Used spear‑phishing emails with malicious OOXML documents, ZIP archives and LNK attachments to deliver the initial payload. [‘spear‑phishing emails with an attachment’]
- [T1204] User Execution – Malicious documents and LNK files trick victims into opening files and launching mshta.exe or template loading. [‘The LNK file points to the “mshta.exe” utility’]
- [T1190] Exploit Public-Facing Application – Remote template injection to download RTF files exploiting CVE-2017-11882 for initial compromise. [‘All the documents use the remote template injection technique to download an RTF file’]
- [T1059] Command and Scripting Interpreter – JavaScript loaders and mshta.exe execute JS that downloads additional code and decodes App.dll. [‘javascript:eval(“…WinHttp.WinHttpRequest.5.1…eval(x.ResponseText)”]
- [T1105] Ingress Tool Transfer – App.dll and ModuleInstaller download additional payloads (ModuleInstaller, Module DLLs, StealerBot components) from C2 URLs. [‘App.dll is a simple downloader or dropper configured to retrieve another .NET payload from a remote URL’]
- [T1547.001] Registry Run Keys/Startup Folder – Persistence via creating HKCU Run values pointing to sideloaded hijack executables. [‘RegKey: HKCU…CurrentVersionRun RegValue: xcschemer (MALWARE_DIRECTORY)’]
- [T1543.003] Create or Modify System Process: System Service – Installer components create a Windows service (“srclink”) to ensure automatic start and sideloading of malicious DLLs. [‘creates a new Windows service named “srclink” to ensure that the downloaded files can start automatically’]
- [T1036.005] Masquerading: Match Legitimate Name or Location – Use of legitimate signed binaries and spoofed subdomains to sideload DLLs and masquerade C2 domains. [‘numerous domains…mimicking legitimate entities to evade detection’]
- [T1036.004] Masquerading: Fake Files or Information – Dropped files and service binaries use legitimate names/paths (e.g., winmm.dll, fsquirt.exe) to hide malicious libraries. [‘legitimate program signed by VMware… used by the attacker to sideload the malicious “winmm.dll”‘]
- [T1202] Indirect Command Execution – Backdoor loader loads encrypted payloads in memory and invokes .NET methods (e.g., Program.ctor) to run StealerBot modules. [‘it loads the data as a .NET assembly and invokes the “Program.ctor” method’]
- [T1027] Obfuscated Files or Information – Wide use of XOR, double XOR, base64, custom alphabets, and control‑flow flattening to hide strings, config and payloads. [‘The payload is XORed twice…strings are truncated and the missing part is added at runtime by patching the bytes’]
- [T1562.001] Impair Defenses: Disable or Modify Tools – Patching AmsiScanBuffer in amsi.dll to force AMSI to return clean results. [‘it changes… to always return error code 0x80070057…forcing the “Amsi” protection to always return a scan result equal to 0’]
- [T1003] Credential Dumping – Modules harvest credentials from browsers and credentials stores; use of token grabber and RDP credential hooks. [‘steal RDP credentials’; ‘steal Google Chrome browser cookies and authentication tokens’]
- [T1041] Exfiltration Over C2 Channel – Stolen data and telemetry uploaded to C2 Modules/Gateway endpoints via HTTP(S) with RSA-signed messages and encrypted payloads. [‘URL used to upload files generated by modules’]
Indicators of Compromise
- [File Hash] Malicious documents – 71F11A359243F382779E209687496EE2 (Nepal Oil Corporation.docx example), 6cf6d55a3968e2176db2bba2134bbe94 and many others (see document hash list).
- [File Hash] StealerBot & modules – 3a036a1846bfeceb615101b10c7c910e (Orchestrator), 47f51c7f31ab4a0d91a0f4c07b2f99d7 (Keylogger), and additional module hashes (several more listed).
- [File Name] Backdoor / sideloaded libraries – propsys.dll, vsstrace.dll, devobj.dll (Backdoor loader variants used for DLL sideloading).
- [Domain / C2] C2 and download URLs – dynamic.nactagovpk[.]org (e.g., hxxps://dynamic.nactagovpk[.]org/735e3a_download), nventic[.]info (download paths like …?name=inpl64), and many spoofed subdomains such as mofa-gov-sa.direct888[.]net.
- [Service / Binary Path] Persistence artifacts – %systemroot%srclinksvm3dservice.exe and service name “srclink” used to ensure startup and DLL sideloading.
SideWinder’s technical infection flow begins with targeted spear‑phishing that delivers OOXML documents or ZIP archives containing malicious LNK files. Documents use remote template injection to fetch RTFs weaponized for CVE‑2017‑11882; the RTF shellcode reconstructs truncated API names, checks for sandbox indicators (RAM <2GB, non‑Intel/AMD CPUs, presence of dotnetlogger32.dll) and uses RunHTMLApplication via mshtml.dll to execute embedded JavaScript that pulls additional code from attacker servers or runs JavaScript via mshta.exe invoked by LNK files.
The JavaScript loader decodes a base64 payload (App.dll), invokes Programs.Work() to either download or drop a specified .NET payload, then App.dll collects AV product presence (Avast/AVG etc.) and either executes dropped payloads via mshta.exe or pcalua.exe. App.dll can download ModuleInstaller (ModuleInstaller.dll), which unpacks signed legitimate binaries + config + malicious libraries and encrypted payloads, chooses one of six infection routines (based on parsed query substrings like “avast”, “360”, “aspers”) and creates persistence via HKCU Run values or scheduled tasks; it also reports status to C2 URLs (encoded with custom base64 alphabet) and retrieves configuration that points to LOAD_DLL_URLs, HIJACK_EXE_URL, RUN_KEY and other runtime parameters.
The sideloaded Backdoor loader decrypts the encrypted payload (file without extension) in memory, patches AMSI (AmsiScanBuffer) to bypass inspection, and loads the main StealerBot Orchestrator as a .NET assembly. The Orchestrator manages modules delivered and updated via signed, XOR/XOR+Gzip/AES encrypted messages from C2, and runs plugins in memory for keylogging, screenshots, file stealing (searching .doc/.ppt/.ppk/.pdf etc.), browser token theft, RDP credential theft via mstsc.exe injection and Detours hooks, credential phishing via CredUIPromptForWindowsCredentialsW injected into explorer.exe, UAC bypass using CMSTP or IElevatedFactoryServer COM techniques, and remote command execution via a Live Console/reverse shell. Persistence and deployment are reinforced by installer components that create Windows services (srclink) and sideload malicious DLLs through legitimate signed executables.