The SideWinder hacking group’s sophisticated cyber-espionage campaign intensified in 2024, targeting critical sectors such as maritime logistics, nuclear energy, and government institutions in multiple countries, including Djibouti, Egypt, Pakistan, India, Bangladesh, Indonesia, Myanmar, Nepal, the Philippines, Sri Lanka, the UAE, and Vietnam.
The group has also expanded into Africa, affecting Mozambique, Rwanda, and Algeria, while diplomatic entities in Afghanistan, Bulgaria, China, Saudi Arabia, Turkey, and Uganda have also come under attack.
According to researchers, SideWinder continuously refines its malware arsenal to bypass security detections. The group can modify its malicious tools within five hours of detection, changing malware file names, persistence mechanisms, and obfuscation techniques.
The latest campaigns use a revamped infection strategy, reinforcing SideWinder’s adaptability in evading cybersecurity defences.
The infection chain primarily relies on spear-phishing emails carrying malicious DOCX attachments. These documents exploit a longstanding vulnerability, CVE-2017-11882, via remote template injection, leading to the execution of an RTF exploit.
The exploit runs JavaScript code to download and deploy multiple malware components, culminating in installing SideWinder’s proprietary ‘Backdoor Loader’ and ‘StealerBot’ post-exploitation toolkit.
The malware distribution has been observed in multiple document themes, including:
- Government policies and diplomatic affairs.
- Maritime logistics and port authorities.
- Nuclear power plant operations.
- Miscellaneous topics like vehicle rentals and job offers.
The investigation uncovered a range of newly crafted malware variants designed to evade detection. Recent updates include:
- Expanded malware loader names such as JetCfg.dll, policydmanager.dll, winmm.dll, and xmllite.dll.
- Control Flow Flattening techniques to obfuscate execution paths and hinder analysis.
- C++ variant of the Backdoor Loader, omitting advanced anti-analysis techniques while being manually deployed on already compromised systems.
- Enhanced security software detection methods, leveraging WMI queries to identify antivirus products before executing payloads.
Researchers have urged organisations and individuals to update software regularly and apply security patches, train their employees to recognise phishing attempts, and deploy advanced threat detection solutions to identify and mitigate sophisticated attacks.
In the News: Whistleblower alleges Meta suppressed dissident for China access
