Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]
Associated Group Descriptions
| Name | Description |
|---|---|
| T-APT-04 | |
| Rattlesnake |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sidewinder has used HTTP in C2 communications.[1][4][5] |
| Enterprise | T1119 | Automated Collection |
Sidewinder has used tools to automatically collect system and network configuration information.[1] |
|
| Enterprise | T1020 | Automated Exfiltration |
Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Sidewinder has added paths to executables in the Registry to establish persistence.[4][5][3] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Sidewinder has used PowerShell to drop and execute malware loaders.[1] |
| .005 | Command and Scripting Interpreter: Visual Basic |
Sidewinder has used VBScript to drop and execute malware loaders.[1] |
||
| .007 | Command and Scripting Interpreter: JavaScript |
Sidewinder has used JavaScript to drop and execute malware loaders.[1][5] |
||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.[1] |
| Enterprise | T1203 | Exploitation for Client Execution |
Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.[1][3] |
|
| Enterprise | T1083 | File and Directory Discovery |
Sidewinder has used malware to collect information on files and directories.[1] |
|
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Sidewinder has used LNK files to download remote files to the victim's network.[1][3] |
|
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.[4][5] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Sidewinder has named malicious files |
| Enterprise | T1027 | Obfuscated Files or Information |
Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files.[1][4][3] |
|
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.[1] |
| .002 | Phishing: Spearphishing Link |
Sidewinder has sent e-mails with malicious links often crafted for specific targets.[1][3] |
||
| Enterprise | T1598 | .002 | Phishing for Information: Spearphishing Attachment |
Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.[1][4][3] |
| .003 | Phishing for Information: Spearphishing Link |
Sidewinder has sent e-mails with malicious links to credential harvesting websites.[1] |
||
| Enterprise | T1057 | Process Discovery |
Sidewinder has used tools to identify running processes on the victim's machine.[1] |
|
| Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta |
Sidewinder has used |
| Enterprise | T1518 | Software Discovery |
Sidewinder has used tools to enumerate software installed on an infected host.[1][4] |
|
| .001 | Security Software Discovery |
Sidewinder has used the Windows service |
||
| Enterprise | T1082 | System Information Discovery |
Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.[1][5] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Sidewinder has used malware to collect information on network interfaces, including the MAC address.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
Sidewinder has used tools to identify the user of a compromised host.[1] |
|
| Enterprise | T1124 | System Time Discovery |
Sidewinder has used tools to obtain the current system time.[1] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[1][4][5][3] |
| .002 | User Execution: Malicious File |
Sidewinder has lured targets to click on malicious files to gain execution in the target environment.[1][4][5][3] |
||
Software
References
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.
- Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.