SideWind APT Description
SideWind is the name assigned to an Advanced Persistent Threat (APT) group of hackers that have shown lasting interest in the South Asia region. The group is currently engaged in a wide-range attack campaign against targets in that same region. More specifically, the hackers are trying to compromise entities mainly located in Nepal and Afghanistan. The confirmed targets include the Nepali Army, the Nepali Ministries of Defense and Foreign Affairs, the Sri Lankan Ministry of Defense, the Afghanistan National Security Council, and the Presidential Palace in Afghanistan. In its operations, SideWind APT demonstrates the ability to quickly incorporate global events and political issues specific to the South Asia region into their phishing and malware campaigns. The group has taken advantage of the COVID-19 pandemic in several threatening operations already, while the latest campaign also includes links to an article named 'India Should Realise China Has Nothing to Do With Nepal's Stand on Lipulekh' and a document called 'Ambassador Yanchi Conversation with Nepali_Media.pdf.' The document contains an interview with the Chinese ambassador to Nepal regarding COVID-19, the Belt, Road Initiative and territorial matter in the Humla district.
Credential Theft and Phishing Emails
The currently ongoing SideWind APT operation involves several attack vectors that aim to accomplish several distinct goals. First, SideWind APT created spoofed copies of actual login pages with the intention to collect the targeted users' credentials. For example, infosec researchers discovered that 'mail-nepalgovnp.duckdns.org' was created to masquerade as the legitimate Nepal government's domain located at 'mail.nepal.gov.np.' Once the credentials were harvested, the victims to redirected either to the real login pages or to the previously mentioned documents discussing hot-button issues.
The other side of SideWind APT's attack involves the distribution of malware - a backdoor threat and an info-collector, through the dissemination of phishing emails. The infection involves a complex attack chain that contains multiple stages and several droppers. The attack could follow two different scenarios:
The .rtf files exploit the CVE-2017-11882 vulnerability, which allows the threat actor to run arbitrary threatening code on the device without the need for any user interaction. Although this particular exploit was fixed way back in 2017, cybercriminals still use it as it can affect any unpatched version of Microsoft Office, Microsoft Windows, and architecture types going all the way back to 2000.
When fully deployed, the SideWind APT's threatening tools can harvest various information kinds, as well as exfiltrate selected files to the Command-and-Control (C2, C&C) infrastructure of the group. The collected data includes user account details, system information, running processes, CPU details, OS details, network details, installed anti-virus programs, privileges, details for all connected drives and installed applications. The data-collector threat also lists all directories in four specific locations:
A Mobile Campaign is under Construction
The SideWind APT also has an attack campaign in the works that will target users' mobile devices. Several applications have already been discovered, with all of them being in an unfinished state. Some contained no threatening code as of yet but were designed to appear as legitimate as possible. One such application is called 'OpinionPoll' and is pretending to be a survey application for gathering opinions on the Nepal-India political dispute. Other applications had threatening capabilities already implemented but still showed signs that more work is needed before they are finished.
This is not the first time that SideWind APT has employed mobile malware tools in their activities. Previously, they have been observed to deploy threatening applications pretending to file manager of photography tools. Once the user has downloaded them, the SideWind APT applications leveraged the CVE-2019-2215 exploit and MediaTek-SU vulnerabilities to obtain root privileges on the compromised device.