An India-aligned nation-state threat actor has been targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea in recent attacks, BlackBerry reports.
The advanced persistent threat (APT) actor, tracked as SideWinder, Rattlesnake, and Razor Tiger, has been active since at least 2012, mainly targeting government, military, and businesses in Pakistan, Afghanistan, China, and Nepal, for cyberespionage.
Over the past year, the group was seen updating its infrastructure and adopting new tactics and techniques in new attacks focusing on entities in Pakistan, Egypt, and Sri Lanka, with additional targets in Bangladesh, Myanmar, Nepal, and the Maldives.
Continuing SideWinder’s focus on espionage and intelligence gathering, the attacks employed malicious documents delivered via spear-phishing emails and relied on DLL side-loading to implant malware.
The malicious documents used in these attacks were carefully tailored to appear as if originating from organizations known to the intended targets, such as the Port of Alexandria in the Mediterranean Sea and the Port Authority of the Red Sea.
“During our research, we detected a total of three visual decoys used by the threat actor. Visual decoys may not in themselves be malicious; their primary purpose is to distract the victim from realizing they are being compromised,” BlackBerry notes.
SideWinder used titles meant to evoke strong emotions, such as fear and anxiety, to lure the target into immediately opening the document and distract them from the malicious activity taking place in the background.
The malicious documents, which targeted a widely exploited remote code execution vulnerability (CVE-2017-0199) in Microsoft Office, contained a URL in plain text pointing to an attacker-controlled site. Once the victim opens the document, the URL is accessed to fetch the next stage.
At the next step, a rich text format (RTF) file fetches a document that exploits another known vulnerability in Office (CVE-2017-11882) to execute shellcode on the system.
The shellcode performs a series of checks to determine if it runs in a virtual environment, and then decrypts and runs JavaScript code meant to load the next stage from a remote server.
BlackBerry’s analysis revealed that the threat actor has been using an old Tor node for the second-stage command-and-control (C&C) server, while continuing to rely on a known Sidewinder domain naming structure.
“We haven’t yet observed any samples of the JavaScript delivered in the last stage of the attack. However, based on SideWinder’s prior campaigns, we believe that the goal of this campaign is espionage and intelligence gathering,” BlackBerry notes.
Related: Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns
Related: How Next-Gen Threats Are Taking a Page From APTs
Related: Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services
Related: Sophisticated ‘Dark Pink’ APT Targets Government, Military Organizations