The nation-state menace actor often called SideWinder has been attributed to a brand new cyber espionage marketing campaign concentrating on ports and maritime amenities within the Indian Ocean and Mediterranean Sea.
The BlackBerry Analysis and Intelligence Crew, which found the exercise, stated targets of the spear-phishing marketing campaign embody international locations like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which can be identified by the names APT-C-17, Child Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, usually making use of spear-phishing as a vector to ship malicious payloads that set off the assault chains.
“SideWinder makes use of electronic mail spear-phishing, doc exploitation and DLL side-loading methods in an try to keep away from detection and ship focused implants,” the Canadian cybersecurity firm stated in an evaluation revealed final week.
The most recent set of assaults make use of lures associated to sexual harassment, worker termination, and wage cuts to be able to negatively affect the recipients’ emotional state and trick them into opening booby-trapped Microsoft Phrase paperwork.
As soon as the decoy file is opened, it leverages a identified security flaw (CVE-2017-0199) to ascertain contact with a malicious area that masquerades as Pakistan’s Directorate Common Ports and Transport (“reviews.dgps-govtpk[.]com”) to retrieve an RTF file.
The RTF doc, in flip, downloads a doc that exploits CVE-2017-11882, one other years-old security vulnerability within the Microsoft Workplace Equation Editor, with the objective of executing shellcode that is liable for launching JavaScript code, however solely after making certain that the compromised system is professional and is of curiosity to the menace actor.
It is at present not identified what’s delivered by the use of the JavaScript malware, though the top objective is more likely to be intelligence gathering primarily based on prior campaigns mounted by SideWinder.
“The SideWinder menace actor continues to enhance its infrastructure for concentrating on victims in new areas,” BlackBerry stated. “The regular evolution of its community infrastructure and supply payloads means that SideWinder will proceed its assaults within the foreseeable future.”
