BlackBerry Threat Research and Intelligence identifies a renewed SideWinder campaign targeting ports and maritime facilities in the Indian Ocean and the Mediterranean Sea, backed by upgraded infrastructure and newer tactics for espionage. The operation focuses on gathering intelligence from Pakistan, Egypt, Sri Lanka, and other nearby regions using spear-phishing, document exploitation, and multi-stage payloads.
#SideWinder #RazorTiger #PortAlexandria #PortAuthorityRedSea #Pakistan #Egypt #SriLanka
#SideWinder #RazorTiger #PortAlexandria #PortAuthorityRedSea #Pakistan #Egypt #SriLanka
Keypoints
- SideWinder (also known as Razor Tiger, Rattlesnake, T-APT-04) has been active since 2012 and is linked to India, with a new campaign aimed at ports and maritime facilities.
- The campaign targets maritime organizations in the Indian Ocean and Mediterranean Sea, with domains and documents suggesting Pakistan, Egypt, Sri Lanka, and other regional targets.
- Phishing emails use highly specific logos and themes to deceive victims and prompt interaction with malicious documents.
- Initial exploitation relies on CVE-2017-0199 (remote template injection) in Microsoft Office, with a second stage leveraging CVE-2017-11882 and RTF payloads.
- Visual decoys (“visual bait”) are employed to distract victims and induce opening of malicious documents, often under emotive or urgent subjects.
- The attack chain includes spear-phishing, document exploitation, DLL side-loading, and multi-stage payloads delivered via compromised documents and remote templates.
- Recommended defenses include keeping systems patched, phishing awareness training, advanced email filtering, and threat detection/response capabilities.
MITRE Techniques
- [T1204] User Execution – Brief description of how it was used. Users are tricked into executing malicious files. – “Users are tricked into executing malicious files.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – Brief description of how it was used. JavaScript is used to execute commands on the victim’s system. – “JavaScript is used to execute commands on the victim’s system.”
- [T1203] Exploitation for Client Execution – Brief description of how it was used. Exploits vulnerabilities in software to execute malicious code. – “Exploits vulnerabilities in software to execute malicious code.”
- [T1047] Windows Management Instrumentation – Brief description of how it was used. Utilizes WMI for executing commands and scripts. – “Utilizes WMI for executing commands and scripts.”
- [T1480] Execution Guardrails – Brief description of how it was used. Ensures that malware only runs in specific environments. – “Ensures that malware only runs in specific environments.”
- [T1221] Template Injection – Brief description of how it was used. Injects malicious templates into documents. – “Injects malicious templates into documents.”
- [T1027] Obfuscated Files or Information – Brief description of how it was used. Obfuscates files to evade detection. – “Obfuscates files to evade detection.”
- [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Decodes obfuscated files to execute malicious payloads. – “Decodes obfuscated files to execute malicious payloads.”
- [T1105] Ingress Tool Transfer – Brief description of how it was used. Transfers tools into the target environment. – “Transfers tools into the target environment.”
- [T1071.001] Application Layer Protocol: Web Protocols – Brief description of how it was used. Uses web protocols for command and control communication. – “Uses web protocols for command and control communication.”
- [T1518.001] Discovery – Brief description of how it was used. Gathers information about the system to tailor attacks. – “Gathers information about the system to tailor attacks.”
Indicators of Compromise
- [Hash] Stage 2 payloads – 2462db3be57df824f003f74d7a16cacb, 142c6a4c7e9efbf6f3176df3ff218449bb4f7b2a69d60060e6339f1c3cc95d93
- [Domain] Delivery infrastructure domains – dgps-govtpk.com, paknavy-govpk.com, and 2 more domains
- [IP] Hosting IPs for delivery – 91.195.240.123, 5.230.35.199, and other related IPs
- [File Name] Malicious documents used in first-stage delivery – INVESTIGATION_OF_SEXUAL_HARASSMENT.docx, File.rtf
- [URL] Malicious URLs used in the campaign – https://investigation04.session-out.com/fbd901_harassment/doc.rtf, https://reports.dgps-govtpk.com/63645534-case/doc.rtf