Islamabad: SideWinder, also known as T-APT-04 or RattleSnake, is one of the most prolific APT groups that started operations in 2012. Over the years, it has primarily targeted military and government entities in Pakistan, Sri Lanka, China, and Nepal, as well as other sectors and countries in South and Southeast Asia. Targets include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities and oil trading companies.
Recently, the Kaspersky Global Research and Analysis Team (GReAT) has detected that the SideWinder APT group is expanding its attack operations into the Middle East and Africa, utilizing a previously unknown espionage toolkit called ‘StealerBot’. Kaspersky discovered that recent campaigns were targeting high-profile entities and strategic infrastructures in these regions, while the campaign in general remains active and may target other victims.
Besides the geographical expansion, Kaspersky discovered that SideWinder is using a previously unknown post-exploitation toolkit called ‘StealerBot’. This is an advanced modular implant designed specifically for espionage activities. During its latest investigation, Kaspersky observed that StealerBot is performing a range of malicious activities, such as installing additional malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, intercepting RDP (Remote Desktop Protocol) credentials, exfiltrating files, and more.
“In essence, StealerBot is a stealthy espionage tool that allows threat actors to spy on systems while avoiding easy detection. It operates through a modular structure, with each component designed to perform a specific function. Notably, these modules never appear as files on the system’s hard drive, making them difficult to trace. Instead, they are loaded directly into the memory., says Giampaolo Dedola, lead security researcher at Kaspersky’s GReAT.
Kaspersky first reported on the group’s activities in 2018. This actor is known to rely on spear-phishing emails as its main infection method, containing malicious documents exploiting Office vulnerabilities and occasionally making use of LNK, HTML and HTA files that are contained in archives. The documents often contain information obtained from public websites, which is used to lure the victim into opening the file and believing it to be legitimate. Kaspersky observed several malware families being used within parallel campaigns, including both custom-made and modified, publicly available RATs.
To mitigate threats related to APT activities, Kaspersky experts recommend equipping your organization’s information security experts with the latest insights and technical details, such as from Kaspersky Threat Intelligence Portal. Use robust solutions for endpoints and to detect advanced threats on the network, such as Kaspersky Next and Kaspersky Anti Targeted Attack Platform. Educate employees to recognize cybersecurity threats such as phishing letters.