SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

Category	Details
Threat Actors	SideWinder (a.k.a. Razor Tiger, Rattlesnake, T-APT-04), active since 2012, originating from India.
Campaign Overview	Espionage-focused campaign targeting maritime organizations in the Indian Ocean and Mediterranean Sea using upgraded infrastructure and tactics.
Target Regions (Or Victims)	Maritime facilities in Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, Maldives.
Methodology	Spear-phishing emails with malicious documents, remote template injection (CVE-2017-0199), and second-stage RTF payload exploiting CVE-2017-11882.
Product Targeted	Microsoft Office (via outdated versions vulnerable to CVE-2017-0199 and CVE-2017-11882).
Malware Reference	Shellcode with obfuscated JavaScript in RTF files; final stage undetected JavaScript payload.
Tools Used	Malicious documents, phishing domains, obfuscated JavaScript, Tor for C2 obfuscation.
Vulnerabilities Exploited	CVE-2017-0199 (remote template injection in Microsoft Office), CVE-2017-11882 (RTF payloads).
TTPs	Visual bait (phishing lures with official logos, emotional triggers like “salary cut” notices), spear-phishing, use of geofencing in C2, DNS obfuscation, and real/virtual machine detection via shellcode.
Attribution	SideWinder attributed to Indian state actors based on infrastructure, historical activity, and targeting.
Recommendations	– Patch systems for CVE-2017-0199 and CVE-2017-11882. – Train employees on phishing awareness. – Use advanced email filtering and endpoint detection (e.g., CylanceENDPOINT). – Subscribe to threat intelligence feeds.
Source	BlackBerry Blog

Read full article: https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea

The above summary has been generated by an AI language model