Critical Infrastructure Security

SideWinder Launches New Espionage Campaign on Ports

Cyberespionage Campaign Exploits a 7-Year-Old Microsoft Office Vulnerability
SideWinder Launches New Espionage Campaign on Ports
The SideWinder threat group has been active in ports in the Indian Ocean and the Mediterranean Sea. (Image: Shutterstock)

Maritime facilities and ports in the Indian Ocean and Mediterranean Sea have become targets of spear-phishing attacks in a cyberespionage campaign attributed to a suspected India state-sponsored threat group.

See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture

BlackBerry's Threat Research and Intelligence team uncovered an espionage campaign targeting maritime facilities in Bangladesh, Egypt, Myanmar, Nepal, Pakistan, Sri Lanka and the Maldives. BlackBerry referred to the group as SideWinder.

SideWinder, also tracked as Razor Tiger, Rattlesnake and T-APT-04, appears to originate from India and has been active since at least 2012. The group has a history of targeting entities in Pakistan, Afghanistan, China and Nepal.

BlackBerry said the lures in the campaign include documents purporting to detail sexual harassment, salary reduction and employee termination.

The phishing emails exploit a known vulnerability in Microsoft Office tracked as CVE-2017-0199, which allows hackers to deliver malware through remote template injection. Despite a patch being available since 2017, organizations with outdated systems remain vulnerable. Once the target opens the malicious document, it contacts a specified URL to download the next stage of the attack.

The second stage involves a Rich Text Format file exploiting another Microsoft Office vulnerability, tracked as CVE-2017-11882. The shellcode embedded in the RTF checks if the target system is a physical machine and not a virtual environment used by defenders. If suitable, the attack proceeds, and a tiny JavaScript code is executed, leading to further stages of the attack.

SideWinder's infrastructure for the second stage command and control uses an old Tor node to obfuscate network analysis. Despite this, researchers were able to identify the delivery infrastructure through protective DNS, also known as PDNS data, which analyzes DNS queries to mitigate threats.

The campaign shows a steady evolution in SideWinder's network infrastructure and delivery payloads, indicating that the threat actor is preparing for additional attacks.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.