| Category | Details |
|---|---|
| Threat Actors | SideWinder APT (aka Rattlesnake, T-APT4), suspected Indian group active since 2012. |
| Campaign Overview | Targeting Pakistan with the WarHawk backdoor, distributing via compromised legitimate servers, and deploying Cobalt Strike payloads. |
| Target Regions | Pakistan (Government and military sectors). |
| Methodology | ISO files containing LNK files, decoy PDFs, and malicious binaries hosted on legitimate compromised websites. |
| Product Targeted | Windows systems. |
| Malware Reference | WarHawk Backdoor (newly discovered), RtlAudioDriver.exe (older version), MsBuild.exe (newer version). |
| Tools Used | WarHawk Backdoor modules, Cobalt Strike, custom Cobalt Strike loader using KernelCallBackTable Injection. |
| Vulnerabilities Exploited | Compromised legitimate websites to host malware (e.g., “nepra.org.pk”). |
| TTPs | - KernelCallBackTable Injection - Time zone validation (Pakistan Standard Time) - Use of decoy PDFs to distract victims - Modular malware functionality: Download & Execute, Command Execution, File Management, and Exfiltration modules. |
| Attribution | Network infrastructure reuse linked to SideWinder APT. |
| Recommendations | - Monitor for suspicious ISO and LNK files - Implement threat intelligence to detect SideWinder APT activity - Secure web servers to prevent compromise - Strengthen endpoint detection for KernelCallBackTable Injection and Cobalt Strike. |
| Source | Zscaler |
Read full article: https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group
The above summary has been generated by an AI language model
Leave a Reply