Recently, NSFOCUS Labs discovered that the South Asian APT organization SideWinder launched phishing attacks with documents used Pakistan National Day-related content as the bait. The domain name of command and control (C2) server was forged as a Pakistani government website. Since SideWinder ‘s targets include Pakistan and China, it has always been considered an APT group from India.
Attack activity analysis
The threat actor used RTF documents Pakistan National Day-related topic to lure the target to open it. The Pakistan National Day is on March 23 every year, just over a month left from now. The body is an invitation to participate in the celebration and prepare a patriotic speech.
However, the time mentioned in the text is 2021, which may be because the attacker were not careful enough in making the bait, and directly quoted the content of last year.
Instead of using powershell, the attacker used ActiveXObject and DotNetToJScript method to load. NET program, which is probably because of concern about detection of security software on the target hosts.
Command and control (C2) server
The domain name of C2 server used by the attacker contains the string mofa-gov-pk, directing to the website of the Ministry of Foreign Affairs of the Pakistan. Using the whitelist mechanism and the habit of people reading domain names from left to right, the attacker added a normal domain name after others and tried to escape detection by the multi-level domain name.
In recent years, border disputes between South Asian countries have continued, and APT attacks have occurred from time to time. Powershell has attracted much attention because of its convenient loading of .NET components, but Sidewinder uses DotNetToJScript instead of powershell, which requires defenders to pay more attention.
The Knowledge Graph of SideWinder
Associated IoCs detected using NSFOCUS Threat Intelligence (NTI)
MD 5 (section):