Cyber Security News

SideWinder Hacker Group Target Government & Military Using WarHawk Tool

Zscaler ThreatLabz found a new backdoor called ‘WarHawk’ being used by the SideWinder APT threat group to target entities in Pakistan.

The SideWinder group goes by the names Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17, with a history of targeting government, military, and businesses throughout Asia, particularly Pakistan.

“The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection and Pakistan Standard Time zone check in order to ensure a victorious campaign,” Zscaler ThreatLabz said.

The Working of WarHawk Backdoor

Reports say the ‘WarHawk’ backdoor consists of four modules such as:

  • Download & Execute Module
  • Command Execution Module
  • File Manager InfoExfil Module
  • UploadFromC2 Module

Researchers discovered that the ISO file hosted on the legitimate website of Pakistan’s National Electric Power Regulatory Authority “nepra[.]org[.]pk” which can indicate a compromise of their web server.

National Electric Power Regulatory Authority Website

It disguises itself as a legit application to lure unsuspecting victims into execution. Also, WarHawk decrypts a set of API & DLL names using a String Decryption Routine which takes the Encrypted Hex Bytes as an input and then subtracts each byte with the Key: “0x42” in order to decrypt the string.

WarHawk Backdoor disguises as legit applications

The download & execute module is responsible for downloading and executing additional payloads from the remote URL provided by the CnC server.

The command execution module is accountable for the execution of system commands on the infected machine received from the Command & Control. Subsequently, the File Manager InfoExfil module gathers and sends the File Manager information by primarily sending across a Module initiation request to the CnC server.

In the UploadFromC2 module, it is a new feature added in the latest WarHawk Backdoor, allowing the threat actor to upload files on the infected machine from the Command and Control Server.

SideWinder Network Infrastructure

Researchers say the following are the indicators that help out in determining that the campaign is targeted at Pakistan, ISO files hosted on Pakistan’s National Electric Power Regulatory Authority website, threat actors released by Pakistan’s Cabinet Division used as a lure, and the time zone check for “Pakistan Standard Time” that makes sure that the malware is only executed under Pakistan Standard Time.

“The SideWinder APT Group is continuously evolving their tactics and adding new malware to their arsenal in order to carry out successful espionage attack campaigns against their targets,” concludes the report.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

11 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

12 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

15 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

15 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

19 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

20 hours ago