Maritime and logistics corporations in South and Southeast Asia, the Center East, and Africa have grow to be the goal of a sophisticated persistent risk (APT) group dubbed SideWinder.
The assaults, noticed by Kaspersky in 2024, unfold throughout Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Different targets of curiosity embody nuclear energy vegetation and nuclear vitality infrastructure in South Asia and Africa, in addition to telecommunication, consulting, IT service corporations, actual property companies, and lodges.
In what seems to be a wider enlargement of its victimology footprint, SideWinder has additionally focused diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The concentrating on of India is important because the risk actor was previously suspected to be of Indian origin.
“It’s value noting that SideWinder continually works to enhance its toolsets, keep forward of safety software program detections, lengthen persistence on compromised networks, and conceal its presence on contaminated techniques,” researchers Giampaolo Dedola and Vasily Berdnikov said, describing it as a “extremely superior and harmful adversary.”
SideWinder was beforehand the topic of an extensive analysis by the Russian cybersecurity firm in October 2024, documenting the risk actor’s use of a modular post-exploitation toolkit referred to as StealerBot to seize a variety of delicate info from compromised hosts. The hacking group’s concentrating on of the maritime sector was additionally highlighted by BlackBerry in July 2024.
The newest assault chains align with what has been reported earlier than, with the spear-phishing emails appearing as a conduit to ship booby-trapped paperwork that leveraged a recognized safety vulnerability in Microsoft Workplace Equation Editor (CVE-2017-11882) as a way to activate a multi-stage sequence, which in flip, employs a .NET downloader named ModuleInstaller to finally launch StealerBot.
Kaspersky mentioned among the lure paperwork are associated to nuclear energy vegetation and nuclear vitality companies, whereas others included content material referencing maritime infrastructures and varied port authorities.
“They’re continually monitoring detections of their toolset by safety options,” Kaspersky mentioned. “As soon as their instruments are recognized, they reply by producing a brand new and modified model of the malware, typically in underneath 5 hours.”
“If behavioral detections happen, SideWinder tries to alter the methods used to keep up persistence and cargo parts. Moreover, they modify the names and paths of their malicious recordsdata.”
Source link