SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka. Last month, Kaspersky attributed to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.
SideWinder, a threat actor notorious for phishing assaults targeting Pakistani public and private sector organisations, has added a new unique tool to its malware arsenal. “The gang’s principal attack vectors are phishing URLs in emails or postings that resemble genuine announcements and services of government agencies and organisations in Pakistan,” Group-IB, a Singapore-based cybersecurity firm, stated in a Wednesday report.
The threat actor’s modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server. This is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government portals to harvest user credentials.
Of special mention is a phishing link that downloads a VPN application called Secure VPN (“com.securedata.vpn”) from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app (“com.securevpn.securevpn”). While the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.
The custom tool identified by Group-IB, dubbed SideWinder.AntiBot.Script, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains. Should a user, whose client’s IP address differs from Pakistan’s, click on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets. “The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource,” the researchers said.
In January 2020, Trend Micro detailed three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android (CVE-2019-2215) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information. Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.