Cyber-threat group, SideWinder, has launched a massive cyberattack targeting over 250 entities across 15 countries in Asia, Africa, the Middle East, and Europe. This recent attack wave has demonstrated the use of a previously unknown post-exploit tool called StealerBot.
The Attack
SideWinder, active since 2012 and publicly exposed in 2018, has expanded its geographic scope in the last six months. The group has targeted entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates. Affected sectors include government and military entities, logistics, infrastructure, telecommunications, finance, education, and oil trading companies. Diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco have also been targeted.
SideWinder’s Typical Cyberattack Chain
SideWinder’s attack chain begins with spear-phishing emails containing malicious Microsoft OOXML documents or .zip archives with .lnk files. These files trigger a multistage infection chain using JavaScript and .NET downloaders, ultimately installing StealerBot for espionage activities. The documents used in the spear-phishing campaign contain information from public websites to lure victims into opening the files.
New StealerBot Modular Malware
StealerBot is an advanced modular implant developed with .NET for espionage activities. It loads malware components into memory using the “ModuleInstaller” downloader, which deploys a Trojan for maintaining a foothold on compromised machines. StealerBot includes modules for installing malware, capturing screenshots, logging keystrokes, stealing passwords, and escalating privileges.
Largely Underestimated Attackers
Despite being perceived as low-skilled due to using public exploits and remote access Trojans, SideWinder’s true capabilities become apparent upon examining their operations. Their significant expansion warrants caution from potential targets.
Indicators of Compromise (IoCs)
To recognize SideWinder and StealerBot on networks, defenders can refer to the comprehensive list of IoCs, including malicious documents, .rtf and .lnk files, and specific IoCs for StealerBot modules. A list of malicious domains and IPs associated with the attacks is also available.
Countries Affected
– Afghanistan
– Bangladesh
– China
– Djibouti
– France
– India
– Indonesia
– Jordan
– Malaysia
– Maldives
– Morocco
– Myanmar
– Nepal
– Pakistan
– Saudi Arabia
– Sri Lanka
– Turkey
– United Arab Emirates
Mitigation
Defenders should be aware of SideWinder’s tactics and implement security patches to prevent exploitation. Monitoring for IoCs and maintaining robust cybersecurity measures can help prevent falling victim to SideWinder’s attacks. To protect against SideWinder’s attacks, organizations should:
1. Implement robust email security measures to prevent spear-phishing.
2. Keep software up-to-date with the latest security patches.
3. Use anti-malware solutions with behavioral detection capabilities.
4. Monitor network traffic for suspicious activity.
5. Conduct regular security audits and vulnerability assessments.
The SideWinder group’s latest attack spree demonstrates its expanding reach and sophistication. Organizations in the affected regions and sectors must remain vigilant and proactive in defending against these threats.
Read More: https://www.darkreading.com/cyberattacks-data-breaches/sidewinder-wide-geographic-net-attack-spree
Additional on SideWinder and StealerBot:
– Kaspersky SecureList blog
– Cybersecurity and Infrastructure Security Agency (CISA) advisories
– National Institute of Standards and Technology (NIST) cybersecurity guidelines
