Sidewinder

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]

ID: G0121
Associated Groups: T-APT-04, Rattlesnake
Contributors: Lacework Labs; Daniyal Naeem, BT Security
Version: 1.0
Created: 27 January 2021
Last Modified: 21 April 2021

Associated Group Descriptions

Name Description
T-APT-04

[3]

Rattlesnake

[3]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sidewinder has used HTTP in C2 communications.[1][4][5]

Enterprise T1119 Automated Collection

Sidewinder has used tools to automatically collect system and network configuration information.[1]

Enterprise T1020 Automated Exfiltration

Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Sidewinder has added paths to executables in the Registry to establish persistence.[4][5][3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sidewinder has used PowerShell to drop and execute malware loaders.[1]

.007 Command and Scripting Interpreter: JavaScript

Sidewinder has used JavaScript to drop and execute malware loaders.[1][5]

.005 Command and Scripting Interpreter: Visual Basic

Sidewinder has used VBScript to drop and execute malware loaders.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.[1]

Enterprise T1203 Exploitation for Client Execution

Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.[1][3]

Enterprise T1083 File and Directory Discovery

Sidewinder has used malware to collect information on files and directories.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[1]

Enterprise T1105 Ingress Tool Transfer

Sidewinder has used LNK files to download remote files to the victim's network.[1][3]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.[4][5]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.[5]

Enterprise T1027 Obfuscated Files or Information

Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files.[1][4][3]

Enterprise T1566 .002 Phishing: Spearphishing Link

Sidewinder has sent e-mails with malicious links often crafted for specific targets.[1][3]

.001 Phishing: Spearphishing Attachment

Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.[1]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Sidewinder has sent e-mails with malicious links to credential harvesting websites.[1]

.002 Phishing for Information: Spearphishing Attachment

Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.[1][4][3]

Enterprise T1057 Process Discovery

Sidewinder has used tools to identify running processes on the victim's machine.[1]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Sidewinder has used mshta.exe to execute malicious payloads.[4][5]

Enterprise T1518 Software Discovery

Sidewinder has used tools to enumerate software installed on an infected host.[1][4]

.001 Security Software Discovery

Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products.[4]

Enterprise T1082 System Information Discovery

Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.[1][5]

Enterprise T1016 System Network Configuration Discovery

Sidewinder has used malware to collect information on network interfaces, including the MAC address.[1]

Enterprise T1033 System Owner/User Discovery

Sidewinder has used tools to identify the user of a compromised host.[1]

Enterprise T1124 System Time Discovery

Sidewinder has used tools to obtain the current system time.[1]

Enterprise T1204 .002 User Execution: Malicious File

Sidewinder has lured targets to click on malicious files to gain execution in the target environment.[1][4][5][3]

.001 User Execution: Malicious Link

Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[1][4][5][3]

Software

ID Name References Techniques
S0250 Koadic [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data from Local System, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Network Service Scanning, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Signed Binary Proxy Execution: Rundll32, Signed Binary Proxy Execution: Mshta, Signed Binary Proxy Execution: Regsvr32, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation

References