1. Home
  2. Groups
  3. Sidewinder

Sidewinder

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]

ID: G0121
Associated Groups: T-APT-04, Rattlesnake
Contributors: Lacework Labs; Daniyal Naeem, BT Security
Version: 1.2
Created: 27 January 2021
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description
T-APT-04

[3]
Rattlesnake

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.[4]
Enterprise T1598 .002 信息钓鱼: Spearphishing Attachment

Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.[1][5][3]
.003 信息钓鱼: Spearphishing Link

Sidewinder has sent e-mails with malicious links to credential harvesting websites.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Sidewinder has added paths to executables in the Registry to establish persistence.[5][4][3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Sidewinder has used PowerShell to drop and execute malware loaders.[1]
.005 命令与脚本解释器: Visual Basic

Sidewinder has used VBScript to drop and execute malware loaders.[1]
.007 命令与脚本解释器: JavaScript

Sidewinder has used JavaScript to drop and execute malware loaders.[1][4]
Enterprise T1203 客户端执行漏洞利用

Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.[1][3]
Enterprise T1071 .001 应用层协议: Web Protocols

Sidewinder has used HTTP in C2 communications.[1][5][4]
Enterprise T1074 .001 数据分段: Local Data Staging

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.[1]
Enterprise T1083 文件和目录发现

Sidewinder has used malware to collect information on files and directories.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Sidewinder has used base64 encoding for scripts.[1][5]
.013 混淆文件或信息: Encrypted/Encoded File

Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.[1][5][3]
Enterprise T1204 .001 用户执行: Malicious Link

Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[1][5][4][3]
.002 用户执行: Malicious File

Sidewinder has lured targets to click on malicious files to gain execution in the target environment.[1][5][4][3]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Sidewinder has used mshta.exe to execute malicious payloads.[5][4]
Enterprise T1082 系统信息发现

Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.[1][4]
Enterprise T1033 系统所有者/用户发现

Sidewinder has used tools to identify the user of a compromised host.[1]
Enterprise T1124 系统时间发现

Sidewinder has used tools to obtain the current system time.[1]
Enterprise T1016 系统网络配置发现

Sidewinder has used malware to collect information on network interfaces, including the MAC address.[1]
Enterprise T1119 自动化收集

Sidewinder has used tools to automatically collect system and network configuration information.[1]
Enterprise T1020 自动化渗出

Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[1]
Enterprise T1518 软件发现

Sidewinder has used tools to enumerate software installed on an infected host.[1][5]
.001 Security Software Discovery

Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products.[5]
Enterprise T1105 输入工具传输

Sidewinder has used LNK files to download remote files to the victim's network.[1][3]
Enterprise T1057 进程发现

Sidewinder has used tools to identify running processes on the victim's machine.[1]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.[5][4]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.[1]
.002 钓鱼: Spearphishing Link

Sidewinder has sent e-mails with malicious links often crafted for specific targets.[1][3]

Software

ID Name References Techniques
S0250 Koadic [1] Windows管理规范, 从本地系统获取数据, 剪贴板数据, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 文件和目录发现, 滥用权限提升控制机制: Bypass User Account Control, 系统二进制代理执行: Mshta, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络配置发现, 网络共享发现, 网络服务发现, 输入工具传输, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task

References

  1. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  2. Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.
  3. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  1. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  2. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.