Sidewinder APT group's sophisticated threat landscape reveals a skilled and persistent threat targeting the Nepalese Government entities.
Their focus extends to South Asian governments, with researchers also identifying a recent complex attack on Bhutan.
Cybersecurity researchers at Cyfirma recently identified that the operators of the Sidewinder hacker group are actively using weaponized documents to deliver backdoors.
Using decoy documents resembling Nepalese Prime Minister's Office communications, the group employs advanced tactics like email spear-phishing and malicious macros.
Spear-phished email delivers a malicious document, triggering an embedded macro upon opening.
The victim is manipulated as the document prompts them to enable editing.
The deceptive content hints at targeting Nepalese government officials.
The document's embedded macro, part of a multi-stage attack, establishes persistence and executes payloads.
The opening of the document triggers the macro and creates a VBScript file for persistence.
It introduces delays and checks internet connectivity before executing encoded batch files.
The batch script directs the execution of VBScript and other batch files, creating scheduled tasks and self-deleting files.
Functions like read shell write binary data to a file, while hide cons hide the console window.
The vb chain function coordinates various actions, including creating and executing scripts and scheduling tasks to establish a chain of events on the infected system.
The following batch file executes scripts, creates tasks, and handles cleanup:-.
The macro exhibits advanced evasion with obfuscation by leveraging the following elements:-.
Its multi-stage execution makes the complete analysis more challenging and complex.
Enabling macros triggers the deployment of scripts and the Nim backdoor-like conhost.
The reverse shell sample enables threat actor access through a reverse shell, providing control over the compromised system.
Khalesi obstructs dynamic analysis, detecting and exiting if tools are found.
The binary targets various monitoring and analysis tools.
This Cyber News was published on gbhackers.com. Publication date: Tue, 19 Dec 2023 15:13:05 +0000