| Category | Details |
|---|---|
| Threat Actors | SideWinder (a.k.a. Razor Tiger, Rattlesnake, T-APT-04), active since 2012, originating from India. |
| Campaign Overview | Espionage-focused campaign targeting maritime organizations in the Indian Ocean and Mediterranean Sea using upgraded infrastructure and tactics. |
| Target Regions (Or Victims) | Maritime facilities in Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, Maldives. |
| Methodology | Spear-phishing emails with malicious documents, remote template injection (CVE-2017-0199), and second-stage RTF payload exploiting CVE-2017-11882. |
| Product Targeted | Microsoft Office (via outdated versions vulnerable to CVE-2017-0199 and CVE-2017-11882). |
| Malware Reference | Shellcode with obfuscated JavaScript in RTF files; final stage undetected JavaScript payload. |
| Tools Used | Malicious documents, phishing domains, obfuscated JavaScript, Tor for C2 obfuscation. |
| Vulnerabilities Exploited | CVE-2017-0199 (remote template injection in Microsoft Office), CVE-2017-11882 (RTF payloads). |
| TTPs | Visual bait (phishing lures with official logos, emotional triggers like “salary cut” notices), spear-phishing, use of geofencing in C2, DNS obfuscation, and real/virtual machine detection via shellcode. |
| Attribution | SideWinder attributed to Indian state actors based on infrastructure, historical activity, and targeting. |
| Recommendations | - Patch systems for CVE-2017-0199 and CVE-2017-11882. - Train employees on phishing awareness. - Use advanced email filtering and endpoint detection (e.g., CylanceENDPOINT). - Subscribe to threat intelligence feeds. |
| Source | BlackBerry Blog |
Read full article: https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea
The above summary has been generated by an AI language model
Leave a Reply