{ "name": "SideWinder APT's post-exploitation framework analysis", "slug": "sidewinder-apts-post-exploitation-framework-analysis", "description": "SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed for espionage activities. The infection process involves remote template injection, RTF exploits, and malicious LNK files. SideWinder's infrastructure uses numerous domains with subdomains mimicking legitimate organizations. Targets include government, military, logistics, infrastructure, telecommunications, financial institutions, universities, and oil trading companies across multiple countries.", "published": "2024-10-15T11:29:45+00:00", "created_at": "2024-10-15T11:29:45+00:00", "modified_at": "2024-10-15T11:56:25+00:00", "created_at_opencti": "2024-10-15T11:29:45+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-15", "CVE-2017-11882", "apt", "backdoor loader module", "espionage", "infrastructure", "moduleinstaller", "post-exploitation", "rtf exploit", "spear-phishing", "stealerbot" ], "related_entities": { "observables": [ { "id": "", "name": "https://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572" }, { "id": "", "name": "https://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E" }, { "id": "", "name": "https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64" }, { "id": "", "name": "https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr" }, { "id": "", "name": "https://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil" }, { "id": "", "name": "https://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64" }, { "id": "", "name": "https://mora.healththebest.com/8eee4f/mora/hta?q=0" }, { "id": "", "name": "https://dynamic.nactagovpk.org/735e3a_download?data=" }, { "id": "", "name": "https://dynamic.nactagovpk.org/ef1c4f_download" }, { "id": "", "name": "https://dynamic.nactagovpk.org/735e3a_download" }, { "id": "", "name": "https://dynamic.nactagovpk.org/0df7b2_download" }, { "id": "", "name": "https://dynamic.nactagovpk.org/27419a_download" }, { "id": "", "name": "http://split.tyoin.biz/7n6at/g3mnr/1691394613799/f0f9e572" }, { "id": "", "name": "http://sa.direct888.net/015094_consulategz\\" }, { "id": "", "name": "http://pafgovt.com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E" }, { "id": "", "name": "http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64" }, { "id": "", "name": "http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr" }, { "id": "", "name": "http://dynamic.nactagovpk.org/ef1c4f_download" }, { "id": "", "name": "http://nventic.info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64" }, { "id": "", "name": "http://dynamic.nactagovpk.org/735e3a_download?data=" }, { "id": "", "name": "http://dynamic.nactagovpk.org/27419a_download" }, { "id": "", "name": "http://dynamic.nactagovpk.org/735e3a_download" }, { "id": "", "name": "http://dynamic.nactagovpk.org/0df7b2_download" }, { "id": "", "name": "split.tyoin.biz" }, { "id": "", "name": "sa.direct888.net" }, { "id": "", "name": "premier.moittpk.org" }, { "id": "", "name": "portdjibouti.pmd-office.org" }, { "id": "", "name": "portdedjibouti.shipping-policy.info" }, { "id": "", "name": "nextgen.paknavy-govpk.net" }, { "id": "", "name": "mora.healththebest.com" }, { "id": "", "name": "mod-gov-bd.direct888.net" }, { "id": "", "name": "mmcert-org-mm.donwloaded.com" }, { "id": "", "name": "dynamic.nactagovpk.org" }, { "id": "", "name": "widge.info" }, { "id": "", "name": "updtesession.online" }, { "id": "", "name": "update-govpk.co" }, { "id": "", "name": "ujsen.net" }, { "id": "", "name": "tumet.info" }, { "id": "", "name": "tsinghua-edu.tech" }, { "id": "", "name": "tex-ideas.info" }, { "id": "", "name": "tazze.co" }, { "id": "", "name": "support-update.info" }, { "id": "", "name": "sjfu-edu.co" }, { "id": "", "name": "shipping-policy.info" }, { "id": "", "name": "scrabt.tech" }, { "id": "", "name": "ptcl-net.com" }, { "id": "", "name": "portdedjibouti.com" }, { "id": "", "name": "pmd-office.org" }, { "id": "", "name": "pmd-office.live" }, { "id": "", "name": "pmd-office.com" }, { "id": "", "name": "pdfrdr-update.info" }, { "id": "", "name": "pdfrdr-update.com" }, { "id": "", "name": "paknavy-govpk.info" }, { "id": "", "name": "pafgovt.com" }, { "id": "", "name": "office-drive.live" }, { "id": "", "name": "nventic.info" }, { "id": "", "name": "numzy.net" }, { "id": "", "name": "ntcpk.net" }, { "id": "", "name": "ntcpak.org" }, { "id": "", "name": "ntcpak.live" }, { "id": "", "name": "nopler.live" }, { "id": "", "name": "newmofa.com" }, { "id": "", "name": "nasc.org.np" }, { "id": "", "name": "navy-mil.co" }, { "id": "", "name": "nactagovpk.org" }, { "id": "", "name": "mshealthcheck.live" }, { "id": "", "name": "moittpk.net" }, { "id": "", "name": "mofa.email" }, { "id": "", "name": "mofagovs.org" }, { "id": "", "name": "mod-gov-pk.live" }, { "id": "", "name": "mitlec.site" }, { "id": "", "name": "mmcert.org.mm" }, { "id": "", "name": "mfas.pro" }, { "id": "", "name": "mfagov.org" }, { "id": "", "name": "mfa-gov.info" }, { "id": "", "name": "lforvk.com" }, { "id": "", "name": "mfa-gov.net" }, { "id": "", "name": "kretic.info" }, { "id": "", "name": "kernet.info" }, { "id": "", "name": "jmicc.xyz" }, { "id": "", "name": "healththebest.com" }, { "id": "", "name": "grouit.tech" }, { "id": "", "name": "gtrec.info" }, { "id": "", "name": "govpk.net" }, { "id": "", "name": "gov-govpk.info" }, { "id": "", "name": "fia-gov.com" }, { "id": "", "name": "e1ix.mov" }, { "id": "", "name": "dytt88.org" }, { "id": "", "name": "downloadabledocx.com" }, { "id": "", "name": "dowmload.net" }, { "id": "", "name": "donwloaded.net" }, { "id": "", "name": "donwload-file.com" }, { "id": "", "name": "donwloaded.com" }, { "id": "", "name": "directt888.com" }, { "id": "", "name": "direct888.net" }, { "id": "", "name": "direct88.co" }, { "id": "", "name": "dirctt88.net" }, { "id": "", "name": "dinfed.co" }, { "id": "", "name": "dirctt88.co" }, { "id": "", "name": "dgps-govpk.com" }, { "id": "", "name": "dgps-govpk.co" }, { "id": "", "name": "detru.info" }, { "id": "", "name": "defpak.org" }, { "id": "", "name": "decoty.tech" }, { "id": "", "name": "condet.org" }, { "id": "", "name": "conft.live" }, { "id": "", "name": "colot.info" }, { "id": "", "name": "cnsa-gov.org" }, { "id": "", "name": "bol-south.org" }, { "id": "", "name": "asyn.info" }, { "id": "", "name": "aliyum.tech" }, { "id": "", "name": "alit.live" }, { "id": "", "name": "163inc.com" }, { "id": "", "name": "126-com.live" }, { "id": "", "name": "opmcm-gov-np.fia-gov.net" }, { "id": "", "name": "navy-lk.direct888.net" }, { "id": "", "name": "mofa-gov-sa.direct888.net" }, { "id": "", "name": "cabinet-division-pk.fia-gov.com" }, { "id": "", "name": "tni-mil.com" }, { "id": "", "name": "paknavy-govpk.net" }, { "id": "", "name": "paknavy-gov.org" }, { "id": "", "name": "numpy.info" }, { "id": "", "name": "ntcpk.info" }, { "id": "", "name": "newoutlook.live" }, { "id": "", "name": "moittpk.org" }, { "id": "", "name": "mfacom.org" }, { "id": "", "name": "mfa-govt.net" }, { "id": "", "name": "govpk.info" }, { "id": "", "name": "fia-gov.net" }, { "id": "", "name": "dynat.tech" }, { "id": "", "name": "download-file.net" }, { "id": "", "name": "defenec.net" }, { "id": "", "name": "dafpak.org" }, { "id": "", "name": "comptes.tech" }, { "id": "", "name": "ausibedu.org" }, { "id": "", "name": "aliyumm.tech" }, { "id": "", "name": "afmat.tech" }, { "id": "", "name": "downld.net" }, { "id": "", "name": "srilanka-navy.lforvk.com" }, { "id": "", "name": "e858d6d5e93f768e0cb9271a6e9a841086a14ff7abe3ee51d5f69f9a6c325028" }, { "id": "", "name": "be271f5e1c588e8f46c988bdae35cef90b0621c42e4195bec5e456d167097f0d" }, { "id": "", "name": "922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6" }, { "id": "", "name": "8d4b11acce641ec5b33b3fc90ec82a2fcdf2e243cb33558e16d7321488a2c70b" }, { "id": "", "name": "8780e03bbbe833f797509f9ca0b3fd37eb84b63299a88723c82d9518c56bd5a7" }, { "id": "", "name": "2a183e571fa26a7f74943c42d3997c6b18ed133ee4b749fb1770ffadd7241f1e" }, { "id": "", "name": "e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d" }, { "id": "", "name": "e1ae44d26899969d520789e23c777d6c07785da23454664ad12b2783946a617c" }, { "id": "", "name": "b565bd60e9182746de76feeebe7f85902e22ee3a22d5d55a278be7340923806e" }, { "id": "", "name": "a11fab6de2c5111833e9e4a6f69ce5dded17085a3d8ae21c7fcfa00d7e113c9b" }, { "id": "", "name": "9d02bf092fdcf44a51ae6e264ec3e3e57afbe79622c92a797e33fb62ed495cda" }, { "id": "", "name": "9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a" }, { "id": "", "name": "931aee9ba0e51804cb354a3a41830721e41a0fab6758aa19a43eaf1abe621b4d" }, { "id": "", "name": "89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e" }, { "id": "", "name": "613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a" }, { "id": "", "name": "55a0bbde3e32c559715cdc9c7d30d003b9e14725a6369d30edef20c1ed6dd994" }, { "id": "", "name": "1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323" }, { "id": "", "name": "170ccf1225154fa0cd92a14219f0b912479cc4095203646c38a31bb78baafe9f" }, { "id": "", "name": "15ce7d3c879975ca81777cf58f47409283e34ec1fe8e966fde608bc7eda16646" } ], "malware": [ { "id": "legacy:malware:3be4d1a57dbff1d3", "name": "ModuleInstaller", "slug": "moduleinstaller" }, { "id": "legacy:malware:8bae47bc40cc5bc5", "name": "StealerBot", "slug": "stealerbot" }, { "id": "legacy:malware:0c25b1d342e3bf7f", "name": "Backdoor loader module", "slug": "backdoor-loader-module" } ], "intrusion_sets": [ { "id": "30cbcbf2-21bc-489d-8705-845e05a87de5", "name": "SideWinder", "slug": "sidewinder" } ], "attack_patterns": [ { "id": "1f2ce0cc-430c-4317-a332-83a27cbad1d3", "name": "T1548" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266", "name": "T1134" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2017-11882" } ], "others": [ { "id": "", "name": "Djibouti" }, { "id": "", "name": "Maldives" }, { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "Afghanistan" }, { "id": "", "name": "Myanmar" }, { "id": "", "name": "Sri Lanka" }, { "id": "", "name": "Nepal" }, { "id": "", "name": "Bangladesh" }, { "id": "", "name": "India" }, { "id": "", "name": "Saudi Arabia" }, { "id": "", "name": "Jordan" }, { "id": "", "name": "China" }, { "id": "", "name": "United Arab Emirates" }, { "id": "", "name": "Malaysia" }, { "id": "", "name": "Indonesia" }, { "id": "", "name": "France" }, { "id": "", "name": "Morocco" }, { "id": "", "name": "Pakistan" }, { "id": "", "name": "Energy" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Transportation" }, { "id": "", "name": "Education" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://securelist.com/sidewinder-apt/114089/", "https://otx.alienvault.com/pulse/670e6e494fe60ad092f1f174" ] }