SideWinder APT's post-exploitation framework analysis
Essential information
- Published
- 15/10/2024 13:29
- Modified
- 15/10/2024 13:56
- Tags
- 2024-10-15 CVE-2017-11882 apt backdoor loader module espionage infrastructure moduleinstaller post-exploitation rtf exploit spear-phishing stealerbot
- Related entities
- 1 vulnerabilities (cve), 158 observables, 1 intrusion sets (apt), 21 techniques (mitre), 3 malware, 25 others
Description
SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed for espionage activities. The infection process involves remote template injection, RTF exploits, and malicious LNK files. SideWinder's infrastructure uses numerous domains with subdomains mimicking legitimate organizations. Targets include government, military, logistics, infrastructure, telecommunications, financial institutions, universities, and oil trading companies across multiple countries.