Sidewinder, a notorious APT, (Advanced Persistent Threat) group, has recently upgraded its arsenal and widened its attack scope, with a recent focus on the nuclear reactor and maritime logistics companies. This threat actor is highly active in Southeast Asia, whose primary targets are military and government agencies of Pakistan, China, Sri Lanka, and Nepal. Now Sidewinder is also active in MENA region.
Attack Chain
- Initiates Attack by sending spear-phishing emails with a DOCX file.
- The document uses the remote injection technique to download an RTF file.
- The RTF file exploits a known Microsoft vulnerability “CVE-2017-11882”.
- Exploiting this vulnerability they install a malware “Backdoor Loader”.
- This Malware acts a s loader for “StealerBot” exclusively used by Sidewinder APT.
The phishing Document Could be from IAEA and documents maritime infrastructures and different port authorities.
Victims of Sidewinder APT
The group’s activities have expanded significantly, with a notable increase in operations across Africa. Attacks were detected in countries including Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, the Philippines, Sri Lanka, the United Arab Emirates, and Vietnam.
Diplomatic Targets: In this recent wave of attacks, SideWinder specifically targeted diplomatic entities in the following countries:
- Afghanistan
- Algeria
- Bulgaria
- China
- India
- Maldives
- Rwanda
- Saudi Arabia
- Turkey
- Uganda
The Bottom Line
The move towards the nuclear sector aligns with a broader trend of cybercriminals and state-sponsored actors targeting critical infrastructure for espionage, sabotage, or even potential disruption.
As SideWinder expands its scope, other nations and industries must brace for more targeted cyberattacks, which can have far-reaching consequences on global security.
Follow us on X and Linkedin for the latest cybersecurity news
Source: hxxps[://]securelist[.]com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
