The nation-state menace actor often known as SideWinder has been attributed to a brand new cyber espionage marketing campaign concentrating on ports and maritime amenities within the Indian Ocean and Mediterranean Sea.
The BlackBerry Analysis and Intelligence Group, which found the exercise, stated targets of the spear-phishing marketing campaign embody international locations like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which can also be recognized by the names APT-C-17, Child Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, usually making use of spear-phishing as a vector to ship malicious payloads that set off the assault chains.
“SideWinder makes use of electronic mail spear-phishing, doc exploitation and DLL side-loading strategies in an try and keep away from detection and ship focused implants,” the Canadian cybersecurity firm stated in an evaluation printed final week.
The newest set of assaults make use of lures associated to sexual harassment, worker termination, and wage cuts to be able to negatively impression the recipients’ emotional state and trick them into opening booby-trapped Microsoft Phrase paperwork.
As soon as the decoy file is opened, it leverages a recognized safety flaw (CVE-2017-0199) to ascertain contact with a malicious area that masquerades as Pakistan’s Directorate Normal Ports and Transport (“studies.dgps-govtpk[.]com”) to retrieve an RTF file.
The RTF doc, in flip, downloads a doc that exploits CVE-2017-11882, one other years-old safety vulnerability within the Microsoft Workplace Equation Editor, with the objective of executing shellcode that is accountable for launching JavaScript code, however solely after guaranteeing that the compromised system is respectable and is of curiosity to the menace actor.
It is presently not recognized what’s delivered via the JavaScript malware, though the tip objective is more likely to be intelligence gathering based mostly on prior campaigns mounted by SideWinder.
“The SideWinder menace actor continues to enhance its infrastructure for concentrating on victims in new areas,” BlackBerry stated. “The regular evolution of its community infrastructure and supply payloads means that SideWinder will proceed its assaults within the foreseeable future.”