Threat Research

SideWinder targets the maritime and nuclear sectors with an updated toolset

SecureList
SideWinder targets the maritime and nuclear sectors with an updated toolset

SideWinder, an advanced persistent threat (APT) group, has intensified attacks targeting military, government, and logistics entities in various regions, particularly in Asia, Africa, and beyond. With sophisticated malware and exploitation techniques, including those leveraging CVE-2017-11882, their operations indicate a strategic focus on maritime infrastructures and nuclear energy sectors. Affected: Government, Military, Logistics, Maritime, Nuclear Energy, Telecommunications, IT Services, Consulting, Real Estate, Hotels

Keypoints :

  • SideWinder is a prolific APT group active in targeting military and governmental entities primarily in Asia and Africa.
  • In 2024, the group expanded its operations significantly, increasing attacks on maritime infrastructures and logistics companies.
  • They have shown specific interest in nuclear power plants and energy sectors in South Asia.
  • The group’s infection method involves spear-phishing emails with malicious documents exploiting CVE-2017-11882.
  • SideWinder has updated and diversified its malware, including the “Backdoor Loader” and “StealerBot”.
  • Attacks have been reported across multiple countries including Djibouti, Egypt, and various Southeast Asian nations.
  • They continuously enhance their toolsets and techniques to evade detection.
  • The importance of regular employee training and comprehensive patch management is emphasized to combat such threats.

MITRE Techniques :

  • Exploitation of Vulnerability (T1203) – Utilizes CVE-2017-11882 in Microsoft Office documents to execute malicious shellcode.
  • Spear Phishing Attachment (T1566.001) – Sends spear-phishing emails with infected DOCX files to potential victims.
  • Command and Control (T1071) – Uses remote server-controlled scripts to download malicious payloads.
  • Data Obfuscation (T1027) – Employs obfuscated JavaScript within HTA files to conceal malware activities.
  • Credential Dumping (T1003) – Collects information on installed security solutions before deploying further payloads.

Indicator of Compromise :

  • [MD5] e9726519487ba9e4e5589a8a5ec2f933d36a67468d01c4cb789cd6794fb8bc70313f9bbe6dac3edc09fe9ac081950673bd8043127abe3f5cfa61bd2174f54c60e0bce049c71bc81afe172cd30be4d2b7872c2ddf6467b1220ee83dca0e1182143d9961991e7ae6ad2bae09c475a1bce8a694ccdb82b061c26c35f612d68ed1c2f42ba43f7328cbc9ce85b2482809ff1c
  • [MD5] 0216ffc6fb679bdf4ea6ee7051213c1e433480f7d8642076a8b3793948da5efe
  • [Domain] pmd-office[.]infomodpak[.]infodirctt888[.]infomodpak-info[.]services
  • [Domain] dirctt888[.]com
  • [Domain] depo-govpk[.]com

Full Story: https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint