Indian APT Targeting Mediterranean Ports and Maritime Facilities

Share This Post

An India-aligned nation-state threat actor has been targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea in recent attacks, BlackBerry reports.

The advanced persistent threat (APT) actor, tracked as SideWinder, Rattlesnake, and Razor Tiger, has been active since at least 2012, mainly targeting government, military, and businesses in Pakistan, Afghanistan, China, and Nepal, for cyberespionage.

Over the past year, the group was seen updating its infrastructure and adopting new tactics and techniques in new attacks focusing on entities in Pakistan, Egypt, and Sri Lanka, with additional targets in Bangladesh, Myanmar, Nepal, and the Maldives.

Continuing SideWinder’s focus on espionage and intelligence gathering, the attacks employed malicious documents delivered via spear-phishing emails and relied on DLL side-loading to implant malware.

The malicious documents used in these attacks were carefully tailored to appear as if originating from organizations known to the intended targets, such as the Port of Alexandria in the Mediterranean Sea and the Port Authority of the Red Sea.

“During our research, we detected a total of three visual decoys used by the threat actor. Visual decoys may not in themselves be malicious; their primary purpose is to distract the victim from realizing they are being compromised,” BlackBerry notes.

SideWinder used titles meant to evoke strong emotions, such as fear and anxiety, to lure the target into immediately opening the document and distract them from the malicious activity taking place in the background.

The malicious documents, which targeted a widely exploited remote code execution vulnerability (CVE-2017-0199) in Microsoft Office, contained a URL in plain text pointing to an attacker-controlled site. Once the victim opens the document, the URL is accessed to fetch the next stage.

Advertisement. Scroll to continue reading.

At the next step, a rich text format (RTF) file fetches a document that exploits another known vulnerability in Office (CVE-2017-11882) to execute shellcode on the system.

The shellcode performs a series of checks to determine if it runs in a virtual environment, and then decrypts and runs JavaScript code meant to load the next stage from a remote server.

BlackBerry’s analysis revealed that the threat actor has been using an old Tor node for the second-stage command-and-control (C&C) server, while continuing to rely on a known Sidewinder domain naming structure.

“We haven’t yet observed any samples of the JavaScript delivered in the last stage of the attack. However, based on SideWinder’s prior campaigns, we believe that the goal of this campaign is espionage and intelligence gathering,” BlackBerry notes.

Related: Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns

Related: How Next-Gen Threats Are Taking a Page From APTs

Related: Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services

Related: Sophisticated ‘Dark Pink’ APT Targets Government, Military Organizations

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.