Summary:
The SideWinder APT group, active since 2012, has targeted military and government entities in Asia. Recent analysis revealed a significant number of indicators of compromise (IoCs), including domains and IP addresses linked to malicious activities. The findings highlight the group’s extensive operational footprint and the need for ongoing vigilance against such threats.
#SideWinderAPT #ThreatIntelligence #CyberThreats
The SideWinder APT group, active since 2012, has targeted military and government entities in Asia. Recent analysis revealed a significant number of indicators of compromise (IoCs), including domains and IP addresses linked to malicious activities. The findings highlight the group’s extensive operational footprint and the need for ongoing vigilance against such threats.
#SideWinderAPT #ThreatIntelligence #CyberThreats
Keypoints:
- SideWinder, also known as T-APT-04 or RattleSnake, has been active since 2012.
- The group primarily targets military and government entities in Asia.
- Recent analysis identified 100 domain names as indicators of compromise (IoCs).
- 83 of the 100 domains had current WHOIS record details.
- Majority of the domain IoCs were registered in the U.S. and Iceland.
- 22 IP addresses were linked to the IoCs, with 20 identified as malicious.
- 55 of the domain IoCs did not have active resolutions.
- Historical analysis showed 81 domain IoCs resolved to 563 IP addresses over time.
- Research revealed 45 email addresses connected to the IoCs.
- Threat Intelligence API indicated various threats associated with the identified IP addresses.
MITRE Techniques:
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Credential Dumping (T1003): Extracts account login and credential information from operating systems and software.
- Data Encrypted for Impact (T1486): Encrypts data to disrupt access to information and services.
- Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services to gain unauthorized access.
- Phishing (T1566): Uses deceptive emails to trick users into revealing sensitive information or downloading malware.
IoC:
- [domain] alit[.]live
- [domain] hostinger.com
- [domain] namecheap.com
- [domain] namesilo.com
- [domain] alibabacloud.com
- [domain] hostingconcepts.com
- [domain] gmo.jp
- [domain] pdr.com
- [ip address] 13.248.252.114
- [ip address] 172.67.208.176
- [ip address] 23.235.163.147
- [ip address] 43.240.239.76
- [ip address] 45.86.229.7
Full Research: https://circleid.com/posts/exploring-the-sidewinder-apt-groups-dns-footprint