Cyber Criminals’ group “Sidewinder” targets Pakistan with new espionage tool

Islamabad: SideWinder, also referred to as T-APT-04 or RattleSnake, is one of the most active advanced persistent threat (APT) groups that commenced operations in 2012. Over the years, it has mainly focused on military and governmental organizations in Pakistan, Sri Lanka, China, and Nepal, as well as other industries and nations in South and Southeast Asia. Its targets include government and military organizations, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading firms.

Recently, the Kaspersky Global Research and Analysis Team (GReAT) identified that the SideWinder APT group is broadening its attack operations into the Middle East and Africa, utilizing a previously unidentified espionage toolkit named ‘StealerBot.’ Kaspersky found that recent campaigns aimed at high-profile organizations and critical infrastructures in these areas, while the overall campaign remains active and may target additional victims.

In addition to its geographic expansion, Kaspersky uncovered that SideWinder is deploying a previously unknown post-exploitation toolkit called ‘StealerBot.’ This sophisticated modular implant is specifically crafted for espionage purposes. During its latest investigation, Kaspersky noted that StealerBot engages in a variety of malicious actions, such as installing supplementary malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, intercepting RDP (Remote Desktop Protocol) credentials, exfiltrating files, and more.

“In essence, StealerBot is a covert espionage instrument that enables threat actors to surveil systems while evading straightforward detection. It functions through a modular design, with each element intended to fulfill a particular role. Notably, these modules do not manifest as files on the system’s hard drive, complicating traceability. Instead, they are loaded directly into memory,” states Giampaolo Dedola, lead security researcher at Kaspersky’s GReAT.

Kaspersky first reported on the group’s activities in 2018. This actor is known to utilize spear-phishing emails as its primary infection method, containing malicious documents that exploit Office vulnerabilities and occasionally employing LNK, HTML, and HTA files within archives. The documents frequently contain information sourced from public websites, designed to entice the victim into opening the file under the impression that it is legitimate. Kaspersky observed multiple malware families being deployed across concurrent campaigns, including both custom-developed and modified, publicly accessible remote access Trojans (RATs).

To mitigate threats associated with APT activities, Kaspersky experts advise equipping your organization’s information security personnel with the latest insights and technical information, such as from the Kaspersky Threat Intelligence Portal. Implement robust solutions for endpoints and to detect advanced threats on the network, such as Kaspersky Next and Kaspersky Anti Targeted Attack Platform. Additionally, educate employees to recognize cybersecurity threats like phishing emails.