Threat Research

Decoding Sidewinder Cyber Intrusion Tactics: From Macro to Payload

Securonix

CYFIRMA analyzes a multi-stage Sidewinder campaign delivering a malicious Word document with embedded macros that installs the Nim backdoor (conhost.exe) and establishes C2 with the attackers. Attributed to the Sidewinder group (also known as Rattlesnake, BabyElephant, APT Q4, and others) and targeting Nepalese government entities, the operation uses startup persistence, VBScript/BAT scripts, and evasion techniques to evade analysis.
#Sidewinder #NimBackdoor #conhost #Nepal

Keypoints

  • Campaign starts with a spear-phishing email delivering a malicious Word document with an embedded macro targeting government officials in Nepal.
  • Embedded macro triggers a multi-stage sequence that creates and deploys VBScript and BAT scripts, then extracts conhost.zip and installs Nim backdoor (conhost.exe).
  • The Nim backdoor connects to the attacker’s C2 server, enabling unauthorized access and a reverse shell capability.
  • The Sidewinder APT group (aliases include Rattlesnake, Hardcore Nationalist, APT Q4/Q39, BabyElephant, GroupA21) is implicated, with suspected South Asian origin and activity since 2012.
  • The campaign employs persistence (Startup folder, scheduled tasks) and evasion techniques to hinder dynamic analysis (delays, hidden windows).

MITRE Techniques

  • [T1566.001] Phishing – ‘The threat begins with a potentially spear-phished email delivering a malicious Word document.’
  • [T1204.002] Malicious File – ‘Upon opening the document, the embedded malicious macro is triggered and executed.’
  • [T1547.001] Boot or Logon Autostart Execution – ‘creates a VBScript file … in the Startup folder … for persistence.’
  • [T1140] Deobfuscate/Decode Files or Information – ‘Macro code exhibits advanced evasion techniques, leveraging VBScript, batch files, and scheduled tasks to achieve its objectives.’
  • [T1057] Process Discovery – ‘C:Windowssystem32cmd.exe /c tasklist.exe’ indicates the Windows Command Prompt to list processes.
  • [T1082] System Information Discovery – ‘dynamically retrieves system environment variables such as AppData, LocalAppData, and Temp to construct file paths.’
  • [T1041] Exfiltration Over Command and Control Channel – ‘connect to the adversaries’ Command and Control (C2) server.’
  • [T1021] Remote Services – ‘The server is Apache and Metasploit running on port 3790 for remote connection open.’

Indicators of Compromise

  • [MD5] Malicious Macro Document – E5859B366B93B05414E1E95D65CE7414, and 777fcc34fef4a16b2276e420c5fb3a73 (Conhost.exe)
  • [SHA1] Malicious Macro Document – 4319a76108da6dbcc46a8e50dce25bace3dfe518
  • [SHA256] Malicious Macro Document – 7459a6106d3562d72c7a4fee62d106064a3ed5b48e16474da2b448aeacc2a333; Conhost.exe – 696f57d0987b2edefcadecd0eca524cca3be9ce64a54994be13eab7bc71b1a83
  • [URL] Hardcoded C2/OC infrastructure – http://mail.mofa.govnp.org/mail/AFA/, http://nitc.govnp.org/mail/AFA/, http://dns.govnp.org/mail/AFA/, http://mx1.nepal.govnp.org/mail/AFA/
  • [IP] C2/IP hosting – 213.109.192.93 (resolved from main payload conhost.exe), hosted in Italy on BlueVPS (AS62005)
  • [File Name] VBScript/BAT/IIS artifacts – OCu3HBg7gyI9aUaB.vbs, 81Ghf8kIPIuu3cM.bat, 8lGghf8kIPIuu3cM.bat, skriven.vbs, conhost.zip, conhost.exe

Read more: https://www.cyfirma.com/outofband/from-macro-to-payload-decrypting-the-sidewinder-cyber-intrusion-tactics/