Threat Research

SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey

Securonix

SideWinder has been observed employing server-side polymorphism to deliver campaigns against Pakistan government officials, and the operation is now targeting Turkey. Campaigns rely on dynamically generated payloads delivered via malicious RTF attachments and remote download URLs. #SideWinder #Pakistan #Turkey #server-side-polymorphism

Keypoints

  • SideWinder uses server-side polymorphism to generate diverse malware variants for its campaigns.
  • The initial targets were Pakistan government officials; activity has expanded to Turkey.
  • The campaigns rely on malicious RTF attachments and remote download links to deliver payloads.
  • A wide set of IOCs (hashes, URLs, domains, and IPs) were observed associated with the operations.
  • Infrastructure includes multiple domains and hosting networks used to host and distribute malicious files.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The attackers deliver payloads via malicious RTF attachments linked in phishing messages. “SideWinder uses server-side polymorphism to attack Pakistan government officials.”
  • [T1204.002] User Execution: Malicious File – Victims open the malicious RTF attachments to trigger the malware. “RTF attachments … file[.]rtf”
  • [T1105] Ingress Tool Transfer – The malware is downloaded or retrieved from remote URLs as part of the infection flow. “hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf”
  • [T1071.001] Web Protocols – The operation leverages web-based resources (URLs) to fetch payloads and communicate. “https[:]//forecast[.]comsats-net[.]com/5760/1/5035/2/0/0/0/m/files-4a0480ae/file[.]rtf”

Indicators of Compromise

  • [URL] context – hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf, hxxts[:]//paknavy-gov-pk[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf
  • [URL] context – hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf, https[:]//forecast[.]comsats-net[.]com/5760/1/5035/2/0/0/0/m/files-4a0480ae/file[.]rtf
  • [IP] context – 185.205.187[.]234, 5.230.73[.]106
  • [Domain] context – slpa.mod-gov[.]org, mailrta.mfagov[.]org
  • [IP] context – 62.113.255[.]80, 194.61.121[.]216
  • [Domain] context – promotionlist.comsats-net[.]com, mailnavybd.govpk[.]net

Read more: https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint