Maritime and logistics corporations in South and Southeast Asia, the Center East, and Africa have grow to be the goal of a complicated persistent menace (APT) group dubbed SideWinder.
The assaults, noticed by Kaspersky in 2024, unfold throughout Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Different targets of curiosity embody nuclear energy vegetation and nuclear vitality infrastructure in South Asia and Africa, in addition to telecommunication, consulting, IT service corporations, actual property companies, and inns.
In what seems to be a wider growth of its victimology footprint, SideWinder has additionally focused diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The concentrating on of India is critical because the menace actor was previously suspected to be of Indian origin.
“It’s price noting that SideWinder consistently works to enhance its toolsets, keep forward of safety software program detections, lengthen persistence on compromised networks, and conceal its presence on contaminated programs,” researchers Giampaolo Dedola and Vasily Berdnikov said, describing it as a “extremely superior and harmful adversary.”
SideWinder was beforehand the topic of an extensive analysis by the Russian cybersecurity firm in October 2024, documenting the menace actor’s use of a modular post-exploitation toolkit referred to as StealerBot to seize a variety of delicate info from compromised hosts. The hacking group’s concentrating on of the maritime sector was additionally highlighted by BlackBerry in July 2024.
The most recent assault chains align with what has been reported earlier than, with the spear-phishing emails performing as a conduit to ship booby-trapped paperwork that leveraged a recognized safety vulnerability in Microsoft Workplace Equation Editor (CVE-2017-11882) to be able to activate a multi-stage sequence, which in flip, employs a .NET downloader named ModuleInstaller to finally launch StealerBot.
Kaspersky mentioned a few of the lure paperwork are associated to nuclear energy vegetation and nuclear vitality companies, whereas others included content material referencing maritime infrastructures and numerous port authorities.
“They’re consistently monitoring detections of their toolset by safety options,” Kaspersky mentioned. “As soon as their instruments are recognized, they reply by producing a brand new and modified model of the malware, typically in below 5 hours.”
“If behavioral detections happen, SideWinder tries to alter the strategies used to take care of persistence and cargo elements. Moreover, they modify the names and paths of their malicious information.”
