| Category | Details |
|---|---|
| Threat Actors | SideWinder (also T-APT-04, RattleSnake) |
| Campaign Overview | Prolific APT group active since 2012, targeting military & government entities in South/Southeast Asia, expanding to the Middle East and Africa. |
| Target Regions (Victims) | Pakistan, Sri Lanka, China, Nepal, Middle East, Africa |
| Methodology | Spear-phishing emails with attachments (DOCX, XLSX, ZIP) containing malicious LNK files, exploiting CVE-2017-11882 in RTF files, and using various downloaders and remote template injection. |
| Product Targeted | Microsoft Office (CVE-2017-11882), .NET applications |
| Malware Reference | StealerBot (espionage tool), App.dll (downloader), ModuleInstaller (backdoor loader) |
| Tools Used | LNK files, JavaScript, .NET, MSHTA.exe, ActiveXObject, App.dll, ModuleInstaller |
| Vulnerabilities Exploited | CVE-2017-11882 (Microsoft Office RTF vulnerability) |
| TTPs | Spear-phishing, LNK files, RTF exploits, downloader modules, Base64 encoding, XOR encryption, C2 servers |
| Attribution | SideWinder (T-APT-04, RattleSnake) |
| Recommendations | Use security solutions to detect LNK and RTF file exploits, block untrusted macros, apply security patches, monitor unusual network activity. |
| Source | Securelist by Kaspersky |
Read full article: https://securelist.com/sidewinder-apt/114089/
The above summary has been generated by an AI language model
Leave a Reply