It’s one of the more prolific yet lesser-known nation-state hacking groups in the world, and it’s not out of China or Russia. The so-called SideWinder (aka Rattlesnake or T-APT4) group has been on a tear over the past two years, launching more than 1,000 targeted attacks.
Noushin Shabab, senior security researcher with Kaspersky, has been tracking SideWinder since 2017 and will share her latest findings on this cyber-espionage team at Black Hat Europe in Singapore this month.
“They have been very persistent in their attacks in terms of targeting specific victims over and over, with new malware and newly registered domains,” Shabab says. “So even if the target has suspected that a previous attempt had malicious intentions — like with spear-phishing emails and so on — the threat actor has tried to use a new infection vector and use a new domain to try their luck, over and over.”
SideWinder also has upped its game when it comes to hiding its tracks and deflecting detection — as well as in thwarting researchers. The threat group now executes a more complex attack chain that uses multiple layers of malware, additional obfuscation, and memory-resident malware that leaves no evidence of its presence, she says. Although other well-oiled and advanced threat groups also continue to add new methods of camouflaging their activity, Noushin says, SideWinder stands apart for her with its dogged persistence and high volume of activity.
“I think what truly makes them stand out among other APT [advanced persistent threat] actors is the large toolset they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure,” she says. “I haven’t seen 1,000 attacks from a single APT” from another group thus far, she adds.
Shabab has tracked SideWinder’s activity since April 2020, but Kaspersky first reported on SideWinder in January 2018 and believes it’s been around since at least 2012. The security firm traditionally avoids attributing threat actors to specific nation-states, but Shabab says her firm’s initial research into SideWinder showed the group is tied to an India-based company that was advertising malware analysis and penetration testing services on its website.
“We found some context between that company and that threat actor,” she says. However, she notes that “over the years, [SideWinder] attribution became more challenging.”
SideWinder mostly targets military and law enforcement entities in Central and South Asia, but it’s also hit foreign affairs, defense, aviation, IT, and legal firms in Asia. Pakistan and Sri Lanka are its main focus of late, according to Kaspersky’s research, and it’s recently targeted government and related organizations in Afghanistan, China, and Nepal, according to previous research from Trend Micro and from Anomaly.
Kaspersky also follows another cyber-spying threat group, dubbed Sidecopy, that copies SideWinder’s tactics and techniques on occasion, often pivoting to the newest infection vector SideWinder has adopted. Unlike some other security research teams, Kaspersky considers Sidecopy separate from SideWinder. It’s seen Sidecopy target organizations mainly in India and Afghanistan.
No Zero-Days Required
SideWinder’s main initial attack vector consists of sending convincing-looking spear-phishing emails with malware-rigged document attachments to its carefully curated targets. The hacking group doesn’t deploy any zero-day exploits, but instead mostly weaponizes known Windows or Android vulnerabilities, including old Microsoft Office flaws, according to Shabab.
That said, in January 2020, researchers at Trend Micro revealed that they had discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability that affected hundreds of millions of Android phones when it was first published (CVE-2019-2215).
SideWinder often switches gears if its first attempts don’t infect its victims. Shabab has seen the APT abuse the Windows file shortcut feature to mask the malware, for example.
“The interesting thing is we have seen them be quite careful and innovative in the way they approach victims,” she says.
On at least two occasions, she says, SideWinder sent empty document attachments with the spear-phishing emails. The document had no content, but a malicious payload was inside. “After a short while, they send a letter [in an email] that apologizes for the empty document they had sent earlier. But that second email had a different malicious payload inside the document,” she says. “They were trying everything to make sure they get a foothold into the victim’s system.”
SideWinder also swaps domains regularly for its command-and-control servers as well as for its download servers. That’s mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well.
Kaspersky’s research shows that SideWinder mainly targets Windows for now, but it did find some malicious mobile apps last year when the firm investigated the group’s infrastructure domains and servers.
“But looking at their large attack infrastructure and large malware family sets they have for Windows, it doesn’t seem mobile is their main focus,” Shabab says.
Black Hat Talk
Shabab will share technical details in her session at Black Hat Asia next week, entitled “SideWinder Uncoils to Strike.” Those will include how the hacking team has evolved its obfuscation methods for hiding its malware, and folding it into multistage infection chains. She says that investigating SideWinder’s attack methods required her to decrypt several layers of encryption and thousands of obfuscation scripts. And “for each one, the decryption key was different,” she says.
Shabab plans to provide recommendations on how to use SideWinder indicators of compromise along with specific security defense advice on defending against this APT group. Because it mostly achieves initial infections via known vulns and legitimate features in Windows (such as Microsoft Office), patching and the usual best security practices are key. That means hardening applications with whitelisting or firewall rules, which can help halt additional malicious malware modules from SideWinder’s servers, she says.
“It’s not very difficult to stop the attack” initially, she says. But if SideWinder gets past that first hurdle and infects the machine in the first phase of the attack, eradicating the attack gets exponentially harder. She adds: “They have lots of techniques to stay undetected longer and stay persistent.”