SideWinder APT Group Sets Sights on Ports and Maritime Facilities in Espionage Campaign
The notorious nation-state threat actor SideWinder has launched a sophisticated new campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea, according to a recent report from BlackBerry Threat Research and Intelligence.
Researchers have uncovered evidence suggesting the group is focusing its efforts on Pakistan, Egypt, and Sri Lanka, with additional indications of interest in Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder employs spear-phishing, document exploitation, and DLL side-loading techniques to avoid detection and deliver targeted implants.
SideWinder, believed to be of Indian origin, has been active since 2012, and is known for its advanced tactics, techniques, and procedures (TTPs). In this latest campaign, the group has upgraded its infrastructure and employed new techniques to evade detection and deliver targeted implants.
A visual lure contained in one of the malicious documents | Image: BlackBerry Threat Research and Intelligence
The threat actor meticulously crafts malicious documents to appear legitimate, often incorporating familiar logos, company names, and themes that the target would recognize. For instance, we observed falsified documents purportedly from the Port of Alexandria and the Port Authority of the Red Sea.
These documents use a remote template injection technique (CVE-2017-0199) to gain initial access to the target’s system. This known vulnerability in Microsoft Office is exploited when a user opens or previews a specially crafted file. Despite the availability of a patch since 2017, many organizations with outdated infrastructures remain vulnerable.
The attack chain begins with a phishing email containing a URL linking to a malicious site, where the next stage file is downloaded. Once opened, the document contacts a specified URL address and downloads the subsequent stage of the attack, often involving a rich text format (RTF) file that exploits CVE-2017-11882. The shellcode in the file checks the victim’s system and only proceeds if the system is real, ensuring the attack avoids detection by security teams.
The stage two command-and-control (C2) infrastructure utilizes an old Tor node, possibly to obfuscate network analysis. However, delivery infrastructure can still be identified through various techniques, including DNS analysis.
The BlackBerry report provides a detailed technical analysis of SideWinder’s TTPs, including indicators of compromise (IOCs) that organizations can use to detect and mitigate this threat.
