SideWinder Hacker Group Target Government & Military Using WarHawk Tool

Zscaler ThreatLabz found a new backdoor called ‘WarHawk’ being used by the SideWinder APT threat group to target entities in Pakistan.

The SideWinder group goes by the names Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17, with a history of targeting government, military, and businesses throughout Asia, particularly Pakistan.

“The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection and Pakistan Standard Time zone check in order to ensure a victorious campaign,” Zscaler ThreatLabz said.

The Working of WarHawk Backdoor

Reports say the ‘WarHawk’ backdoor consists of four modules such as:

EHA
  • Download & Execute Module
  • Command Execution Module
  • File Manager InfoExfil Module
  • UploadFromC2 Module

Researchers discovered that the ISO file hosted on the legitimate website of Pakistan’s National Electric Power Regulatory Authority “nepra[.]org[.]pk” which can indicate a compromise of their web server.

https://lh3.googleusercontent.com/HIa9PKSP2eni41GJnuAl9z4hkXFfrgRuVMUJBJGptoSUaRvo0_91Tsf84EFGqcSTvplfOlj04rOMNhMSxw9EAVv90drH0z0LjTrky8AD1vtjXaIMF3_cvl2BFoHGmjN7vA2B-fyeukue83GI4ec4KQT4VPrF2FyDTwridJXLWzYO5dWOs-5aqAzNQw
National Electric Power Regulatory Authority Website

It disguises itself as a legit application to lure unsuspecting victims into execution. Also, WarHawk decrypts a set of API & DLL names using a String Decryption Routine which takes the Encrypted Hex Bytes as an input and then subtracts each byte with the Key: “0x42” in order to decrypt the string.

https://lh5.googleusercontent.com/9PyOtymwhv439cgHE-1uIHhmwijtqvSM3y2vb6iZVwHYoOvldK3zpDRqRkpLnsVyqvGM9kONZ7EW2lJiCaI0vafYN5R6yuoERKacquzRsZ2p8vXquDFuhcyDgMlg4I4WdOLE265BXf0OaTD6FnSDr6X2cUkcxklJerJcwJPP4O9k6xLrODrUMYkozQ

WarHawk Backdoor disguises as legit applications

The download & execute module is responsible for downloading and executing additional payloads from the remote URL provided by the CnC server.

The command execution module is accountable for the execution of system commands on the infected machine received from the Command & Control. Subsequently, the File Manager InfoExfil module gathers and sends the File Manager information by primarily sending across a Module initiation request to the CnC server.

In the UploadFromC2 module, it is a new feature added in the latest WarHawk Backdoor, allowing the threat actor to upload files on the infected machine from the Command and Control Server.

https://lh3.googleusercontent.com/DgjDCPzxRWLtOPWdCUdG4_OqNleERPMYnYtv1JsghSsr8RYKrbxPIRCoEfu-0NurFKP_oPgFitl_eJnG6xyB-ULbO_JthZgUUEp3y9AR5CXbI7FsHtfkv75Ymtw61Hk0HUW7xyZWmfP8DqGqoDezX4YU10Fn0fUJBhF1ZvUZix61oHB5VuFoqhr_tQ

SideWinder Network Infrastructure

Researchers say the following are the indicators that help out in determining that the campaign is targeted at Pakistan, ISO files hosted on Pakistan’s National Electric Power Regulatory Authority website, threat actors released by Pakistan’s Cabinet Division used as a lure, and the time zone check for “Pakistan Standard Time” that makes sure that the malware is only executed under Pakistan Standard Time.

“The SideWinder APT Group is continuously evolving their tactics and adding new malware to their arsenal in order to carry out successful espionage attack campaigns against their targets,” concludes the report.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.