FOCUS MODE
EXTRACT IOC
Threat Research

SideWinder Threat Group: Maritime and Nuclear Sectors at Risk with Updated Toolset

Picussecurity
SideWinder Threat Group: Maritime and Nuclear Sectors at Risk with Updated Toolset
SideWinder, also known as Rattlesnake or T-APT-04, is an advanced persistent threat group from India that has expanded its operations to target maritime and nuclear sectors across Asia, the Middle East, and Africa since 2012. Known for quickly adapting to security measures, SideWinder employs various tactics, techniques, and procedures (TTPs) to execute sophisticated cyber-attacks, primarily through phishing and malware. Affected: government, military, maritime sector, nuclear power plants, logistics sector.

Keypoints :

  • SideWinder is an APT group operational since at least 2012, originating from India.
  • Initially focused on government and military sectors, the group has recently targeted maritime and nuclear sectors.
  • The group uses advanced phishing techniques to compromise its targets, often employing malicious Office documents.
  • Utilizes multi-stage malware delivery, including techniques like DLL side-loading for backdoor installation.
  • Has a sophisticated post-exploitation toolkit known as StealerBot for data collection and exfiltration.
  • Regularly modifies its tools and techniques to evade detection by security measures.
  • Emphasizes credential theft for lateral movement within networks.
  • Adopts communication over encrypted channels to prevent detection during Command & Control operations.
  • Employs advanced strategies for defense evasion and privilege escalation.
  • Recommends layered defense strategies, including endpoint detection and ongoing security control validation.

MITRE Techniques :

  • Initial Access: Phishing: Spear-Phishing Attachments (T1566.001) – Targeted phishing emails with malicious attachments.
  • Initial Access: Remote Template Injection (T1221) – Exploitation via malicious Microsoft Office documents pulling external templates.
  • Execution: User Execution (T1204) – Victims are tricked into opening malicious attachments.
  • Execution: Signed Binary Proxy Execution (T1218) – Leveraging mshta.exe to execute hidden scripts.
  • Persistence: DLL Side-Loading (T1574.002) – Custom backdoor installation using malicious DLL alongside legitimate applications.
  • Defense Evasion: Obfuscation (T1027) – Extensive obfuscation of payloads to complicate analysis and detection.
  • Privilege Escalation: User Account Control Bypass (T1548.002) – Circumventing UAC for elevated privileges.
  • Lateral Movement: Valid Accounts (T1078) – Utilizing stolen credentials for lateral network movement.
  • Command and Control: Application Layer Protocol (T1071.001) – Using HTTP(S) for C2 communication.
  • Exfiltration: Exfiltration Over Command and Control Channel (T1041) – Data is collected and exfiltrated through encrypted C2 channels.

Indicator of Compromise :

  • [Domain] pmd-office[.]info
  • [Domain] modpak[.]info
  • [Filename] jetCfg.dll
  • [Filename] winmm.dll
  • [Filename] policymanager.dll

Full Story: https://www.picussecurity.com/resource/blog/sidewinder-threat-group

Tags: CVE, PERSISTENCE, EXPLOIT, LATERAL MOVEMENT, GOVERNMENT, COLLECTION, APT, BACKDOOR