SideWinder APT has launched a sophisticated cyber espionage campaign targeting government institutions in Sri Lanka, Bangladesh, and Pakistan by exploiting legacy Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882. The attackers use geofenced spear phishing, multistage loaders, and DLL sideloading to deliver StealerBot, a credential stealer designed for persistent access and data exfiltration. #SideWinder #APT #CVE2017-0199 #CVE2017-11882 #StealerBot #CyberEspionage #SriLanka #Bangladesh #Pakistan
Keypoints
- SideWinder targets high-level government and military institutions in Sri Lanka, Bangladesh, and Pakistan using spear phishing with geofenced payload delivery to limit infection to specific countries.
- Initial infection vectors rely on malicious Word and RTF documents exploiting CVE-2017-0199 and CVE-2017-11882, both legacy Microsoft Office vulnerabilities enabling remote code execution.
- The intrusion chain involves multistage loaders, shellcode-based payload execution, and server-side polymorphism for evasion and stealthy deployment of malicious payloads.
- The final deployed malware, StealerBot, is a credential-harvesting tool that establishes persistence via DLL sideloading and exfiltrates victim information to SideWinder-controlled servers.
- SideWinder’s command-and-control infrastructure sees periodic updates and domain rotations, with spikes in activity observed in early 2025.
- Targets include elite units like Sri Lanka Army’s 55th Division and critical financial institutions like the Central Bank of Sri Lanka, with lure documents customized per target for credibility.
- Despite using patched vulnerabilities, the campaign remains effective due to widespread outdated software and sophisticated evasion techniques such as sandbox checks and network filtering based on geolocation and user-agent.
MITRE Techniques
- [T1566.001] Phishing – Use of spear phishing emails leveraging customized lure documents for high-value targets in Sri Lanka, Bangladesh, and Pakistan.
- [T1204] User Execution – Reliance on victims opening malicious Word and RTF files that exploit legacy vulnerabilities (CVE-2017-0199, CVE-2017-11882) to trigger code execution.
- [T1218.005] System Binary Proxy Execution – Prior campaigns used mshta.exe for payload delivery; this campaign shifted to shellcode-based loaders for execution.
- [T1055] Process Injection – Shellcode injects malicious PE files into legitimate processes like explorer.exe to evade detection (‘shellcode injects embedded PE file into explorer.exe’).
- [T1105] Ingress Tool Transfer – Downloading multistage payloads and encoded payloads from attacker-controlled servers following successful exploitation.
- [T1140] Deobfuscate/Decode Files or Information – Use of multiple layers of encoding (XOR and Base64) to obfuscate payloads and communications (‘server’s response is obfuscated using base64 encoding followed by XOR encryption’).
- [T1213] Data from Information Repositories – StealerBot collects system and credential information from victim devices for exfiltration.
- [T1050] New Service – Creation of persistence mechanisms using DLL sideloading, e.g., malicious DLL (wdscore.dll) loaded by a legitimate executable (TapiUnattend.exe).
- [T1027] Obfuscated Files or Information – Shellcode stores function names and URLs encoded on the stack to bypass static detection.
- [T1083] File and Directory Discovery – StealerBot collects detailed system information including installed antivirus and hardware data before exfiltration.
Indicators of Compromise
- [File Hashes] Malicious document and payload hashes – Example: SHA256 57b9744b30903c7741e9966882815e1467be1115cbd6798ad4bfb3d334d3523d (malicious Word document), SHA256 c62e365a6a60e0db4c2afd497464accdb783c336b116a5bc7806a4c47b539cc5 (StealerBot payload), plus numerous unique MD5 and SHA256 hashes for RTF files and DLLs.
- [Domains] Command-and-Control domains – Examples: army-govbd.info, updates-installer.store, dwnlld.com, bismi.pro, milqq.info, showing extensive domain registration primarily in early 2025 for infrastructure rotation.
- [URLs] Payload delivery and C2 URLs – Examples: hxxps://advisory.army-govbd.info/ISPR/d81b2d23/Accept_EULA.rtf, hxxps://ecility.xyz (StealerBot control panel).
- [File Names] Key malicious files – TapiUnattend.exe (legitimate signed binary used for DLL sideloading), wdscore.dll (malicious DLL loader), HBG6XFRE.JZS7 (encoded StealerBot payload), IpHelper.dll (helper module).