SideWinder APT Targets with futuristic Tactics and Techniques

Cyble Research Team recently came across new malware variants related to SideWinder (aka Rattlesnake or T-APT-04) APT threat group. We noted that the group is targeting organizations through spam emails with maliciously crafted documents as well as through archived malicious link files. 

SideWinder APT Background: It a known threat actor, who mainly targets Pakistan military and has been active since 2012.  In recent attacks, we have observed that SideWinder APT uses two different initial infection vectors.

 1. Maliciously crafted document named “Protocol.doc” with topic related to “Poland and Pakistan together for Security” that leverages the exploits of known vulnerability CVE-2017-11882.  The below diagram shows RTF file with exploit shellcode which leads to the successful installation of actual payload. 

Figure1: Malicious Protocol.doc with exploit CVE-2017-11882 

2. Zip archive named “Audit_Observation2019.zip” that abuses link files to download additional payloads on victim’s machine, as shown below.  

Figure2: Malicious LNK file inside archive file

After successful exploitation, malicious payload files are stored in %ProgramData%\SyncFiles\ directory as shown in Figure3. 

Figure 3: Payload Files on Victom Machine

Upon execution, Rekeywiz.exe file creates Mutex called “Local\ba76e584-735b-45d5-ab75-7ecb8ec8f208″ to mark single instance of its execution on the victim machine. Then it checks for MasterKeyHistory value in the following registry path “SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys” and enables EFS by setting flag as feclient-EfsEnabled.  

Figure 4: Mutex

Finally, Rekeywiz.exe loads and executes actual SideWinder payload named “Duser.dll”. It is a Microsoft Visual C# / Basic .NET compiled Dynamic link library with less AV detection as shown below. 

Figure5: VT link

Further Rekeywiz.exe encrypts filesystem using ECDH-P256 encryption method, with the uses windows API’s like “SetUserFileEncryptionKeyEx“. The encrypted content is stored in current directory as “Y2EKaMo.tmp”, file content is as shown in figure6. 

Figure6: Encrypted Filesystem

After successful infection malware creates background network communication to C2 IP 185.99.133[.]58 as in the figure.  

Figure7: C2 communication 

Remediation 

Here are the steps to prevent targeted attacks like SideWinder. 

  1. Disable EFS encryption in windows. 
  1. Keep sloid cyber threat intelligence program with latest IOCs of emerging threats. 
  1. Keep systems up to date with security patch updates 
  1. Do not open attachments from e-mails or only open them if you can be sure that the sender and not malware sent the e-mail 

Conclusion 

Advanced Persistence Threats are consciously evolving, deploying new tactic and techniques so that makes itself successful in targeted cyber-attacks. 

Cyble Research team is continuously monitoring to harvest indicator/TTP’s of Emerging APT’s in the wild to ensure the targeted organizations are well informed and protected proactively.   

List of IOC’s: 

File Hash:(MD5) 

Ea0b79cd48fe50cec850e8b9733d11b2 – Audit_Observation2019.zip 

1cf37a0a8a5f5704a3df692d84a16a71 – Protocol.doc 

3b29d0cef6d23779dd08c6e92776d368 – Duser.dll 

082ed4a73761682f897ea1d7f4529f69 – Rekeywiz.exe 

C2 Domain’s: 

www[.]fbr-gov[.]aws-pk[.]net  

cdn-aws-s2[.]net 

fqn-cloud[.]net 

IP’s: 

185.99.133[.]58 

Mutex:  

Local\ba76e584-735b-45d5-ab75-7ecb8ec8f208 

Leave a Comment

Your email address will not be published.

%d bloggers like this: