Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China.
This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.
“The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors,” researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said.
SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments.
The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore.
Earlier this February, Group-IB brought to light evidence that SideWinder may have targeted 61 government, military, law enforcement, and other organizations across Asia between June and November 2021.
More recently, the nation-state group was observed leveraging a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organizations.
The newly discovered domains mimic government organizations in Pakistan, China, and India and are characterized by the use of the same values in WHOIS records and similar registration information.
Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload.
A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which was analyzed by both QiAnXin and BlackBerry in recent months.
Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University’s email system (mailtsinghua.sinacn[.]co).
Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov[.]org).
Further investigation into SideWinder’s infrastructure has led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023.
The rogue Android app passes off as a “Ludo Game” and prompts users to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.
Group-IB said the app also exhibits similarities with the fake Secure VPN app the company disclosed in June 2022 as being distributed to targets in Pakistan by means of a traffic direction system (TDS) called AntiBot.
In all, the domains point to SideWinder setting its sights on financial, government, and law enforcement organizations, as well as companies specializing in e-commerce and mass media in Pakistan and China.
“Like many other APT groups, SideWinder relies on targeted spear-phishing as the initial vector,” the researchers said. “It is therefore important for organizations to deploy business email protection solutions that detonate malicious content.”