The nation-state risk actor often called SideWinder has been attributed to a brand new cyber espionage marketing campaign focusing on ports and maritime services within the Indian Ocean and Mediterranean Sea.
The BlackBerry Analysis and Intelligence Group, which found the exercise, stated targets of the spear-phishing marketing campaign embrace nations like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which can also be identified by the names APT-C-17, Child Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, usually making use of spear-phishing as a vector to ship malicious payloads that set off the assault chains.
“SideWinder makes use of electronic mail spear-phishing, doc exploitation and DLL side-loading methods in an try to keep away from detection and ship focused implants,” the Canadian cybersecurity firm stated in an evaluation printed final week.
The newest set of assaults make use of lures associated to sexual harassment, worker termination, and wage cuts with a purpose to negatively affect the recipients’ emotional state and trick them into opening booby-trapped Microsoft Phrase paperwork.
As soon as the decoy file is opened, it leverages a identified safety flaw (CVE-2017-0199) to determine contact with a malicious area that masquerades as Pakistan’s Directorate Common Ports and Transport (“experiences.dgps-govtpk[.]com”) to retrieve an RTF file.
The RTF doc, in flip, downloads a doc that exploits CVE-2017-11882, one other years-old safety vulnerability within the Microsoft Workplace Equation Editor, with the purpose of executing shellcode that is answerable for launching JavaScript code, however solely after making certain that the compromised system is reliable and is of curiosity to the risk actor.
It is at the moment not identified what’s delivered by way of the JavaScript malware, though the tip purpose is more likely to be intelligence gathering primarily based on prior campaigns mounted by SideWinder.
“The SideWinder risk actor continues to enhance its infrastructure for focusing on victims in new areas,” BlackBerry stated. “The regular evolution of its community infrastructure and supply payloads means that SideWinder will proceed its assaults within the foreseeable future.”