July 30, 2024 at 10:00AM
BlackBerry reports that a threat actor, known as SideWinder, has been targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The actor has been active since 2012, primarily targeting government, military, and businesses in various countries for cyberespionage. The attacks rely on spear-phishing emails and malicious documents to implant malware and execute further stages of the attack. The campaign’s goal is espionage and intelligence gathering.
After reviewing the meeting notes, it is clear that an India-aligned nation-state threat actor, tracked as SideWinder, Rattlesnake, and Razor Tiger, has been targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The group has been active since at least 2012 and mainly focuses on government, military, and businesses in Pakistan, Afghanistan, China, and Nepal for cyberespionage.
Recent attacks have shown the group updating its infrastructure and adopting new tactics to target entities in Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. The attacks involved the use of malicious documents delivered via spear-phishing emails and relied on DLL side-loading to implant malware.
The threat actor utilized visual decoys to distract the victim from realizing they were being compromised, with the malicious documents tailored to appear as if originating from known organizations such as the Port of Alexandria in the Mediterranean Sea and the Port Authority of the Red Sea.
Furthermore, the group exploited known vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) to fetch and execute a series of shellcode and JavaScript code from remote servers. BlackBerry’s analysis revealed that the threat actor has been using an old Tor node for the second-stage command-and-control (C&C) server.
It is important to note that the goal of this campaign is espionage and intelligence gathering, and the group’s prior campaigns reflect similar objectives. This information provides valuable insights into the tactics and techniques employed by these threat actors, allowing for better preparedness and defense against their activities.