SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey

The Arctic Wolf® Labs team has been actively tracking and monitoring the SideWinder advanced persistent threat (APT) group, which has led to the discovery of their latest campaign targeting Pakistan government organizations.

In this campaign, the SideWinder APT group used a server-based polymorphism technique to deliver the next stage payload.

Brief MITRE ATT&CK® Information

Weaponization and Technical Overview

Technical Analysis

Context

The SideWinder APT group, also known as Razor Tiger, Rattlesnake, and T-APT-04, has been actively targeting Pakistan government organizations since at least 2012.

One of the oldest nation-state threat actors, SideWinder is believed to originate from India. Active since at least 2012, the group has been observed targeting military, government, and business entities, with a particular focus on Pakistan, Afghanistan, China, and Nepal. SideWinder primarily makes use of email spear-phishing, document exploitation, and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants.

Through our threat hunting efforts, the Arctic Wolf Labs team discovered a new malware campaign by the SideWinder group. This campaign utilized a server-side polymorphism technique. The use of this technique allows the threat actor to potentially bypass traditional signature-based antivirus (AV) detection to deliver the next stage payload.

Attack Vector

What is Server-Side Polymorphism?

Server-side polymorphism is a technique used by threat actors and other distributors of malware to attempt to evade detection by antivirus scanners. Polymorphic (literally “many shapes”) malware is malicious code that alters its appearance through encryption and obfuscation, making sure that no two samples look the same. Although futuristic-sounding, it’s actually an older technique that has been used by threat actors since the early 1990s.

It is hard for traditional or legacy AV software based on signatures to catch this type of malware, because the transformation code is not visible for security analysis.

Campaign Analysis

The SideWinder APT group’s new campaign leveraging server-side polymorphism to deliver the next stage payload began in late November 2022. The malicious documents used in this campaign were created to target Pakistan government officials. The documents were designed to trick Pakistan officials by displaying convincing content relevant to their interests.

During the investigation, the Arctic Wolf Labs team analyzed the documents used by the threat group to identify various artefacts used in this campaign to potentially locate other files of interest. The first malicious lure we examined was a document titled GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).

Figure 1: Malicious (fake) lure document targeting Pakistan officials.

Another malicious document used a while back in early December 2022 was titled PK_P_GAA_A1_Offerred.docx. In this instance, the document was eight pages in length and pretended to be a letter of offer and acceptance “for the purchase of defense articles, defense services, or both.”

Figure 2: First malicious lure sent by the SideWinder APT group.

Notably, none of the documents used an embedded malicious macro code to deliver the next stage payload; instead, the threat group exploited the CVE-2017-0199 vulnerability (remote template injection).

The GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).doc malicious lure template was instructed to reach out to the remote address of hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf. The pnwc[.]bol-north[.]com domain in this instance resolves to the IP address 5.230.73[.]106.

Figure 3: The URL for the next stage download.

The PK_P_GAA_A1_Offerred.docx malicious lure template was instructed to reach out to the remote address of hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf to download the next stage. The paknavy-gov-pk[.]downld[.]net domain resolves to the IP address 185.205.187[.]234.

Figure 4: URL for next stage download.

During the time when the malicious server was active, this threat group had set their servers in a way that if the user/victim enters part of the malicious URL into their browser, they will be redirected to the legitimate Pakistan Navy home page, which is hxxps[:]//www[.]paknavy[.]gov[.]pk. It is important to note that the malicious server is no longer active.

Figure 5: Legitimate Pakistan Navy website. The victim is redirected to this site from a malicious page.

In early March, we discovered a new document that was also spread through phishing emails. The peculiarity of this OLE document was that it contained the address of the connection to the malicious server, which was also configured to connect to victims from Turkey.

Weaponization

The next stage payload, file.rtf – a rich text document file – can only be downloaded by users in the Pakistani IP range. In both instances, only the name of the file file.rtf and the file type are the same; however, the contents, file size and the file hash are different. This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection).

If the user is not in the Pakistani IP range, the server returns an 8-byte RTF file (file.rtf) that contains a single string: {\\rtf1 }. However, if the user is within the Pakistani IP range, the server then returns the malicious RTF payload, which varies between 406KB – 414KB in size.

Figure 6: file.rtf payload.

Loader

Having listed the existing objects in the file.rtf file that was obtained from the paknavy-gov-pk[.]downld[.]net domain, the 1.a object was extracted for further analysis.

Figure 7: 1.a object overview.

During the malware execution chain, this object is saved under the C:\\Users\\user\\AppData\\Local\\Temp\\1.a location on the victim’s machine. The 1.a file is an obfuscated JavaScript.

Figure 8: De-obfuscated strings (Click to enlarge).

There are two things that stand out from our analysis: the base64 encoded data blob, and two URLs. The base64 data blob decodes to Win32 DLL (App.dll), and the two URLs are used for further communications with the threat actor.

Figure 9: URLs used for further communications with SideWinder.

Agent

The previously mentioned base64 encoded data blob is a .NET compiled Win32 DLL called App.dll.

To further avoid static signature-based detection, the App.dll file is obfuscated in the same way as the majority of other files and scripts uncovered in this campaign.

Figure 10: App.dll file.

The App.dll file is launched by earlier stage JavaScript code. The JavaScript deserializes the .NET binary and passes a URL to the executable’s “Work()” function. This function makes a request to the URL and attempts to decrypt and then execute the response. In other words, the .NET executable can retrieve the next stage code and execute it.

Network Infrastructure

SideWinder’s campaign command-and-control (C2) infrastructure is only live for short periods of time. Non-Pakistani IP responses from the systems hosting RTF files have been identical since at least January 2021, with an 8-byte file with {\\rtf1 } as the content. Following the relationships in VirusTotal shows the distribution infrastructure and the longevity of similar campaigns. 28 domains have been seen in the wild hosting this empty RTF file, all with similar URLs used for hosting.

For these campaigns, SideWinder also uses predictable URL structures when hosting their malicious files:

• First stage – */2/0/0/*/files-*/ (hta|file.rtf)
• Second stage – */3/1/1/*/files-*/

The longevity of these tactics, techniques, and procedures (TTPs) – nearly two years – gives us confidence that they can be utilized for the detection of future campaigns.

In mid-March 2023, we discovered a new configured server delivering the payload. This server was different in that it was configured so that a victim in Turkey could receive a second-stage payload. This shows that this threat actor is also now targeting organizations in Turkey.

Targets

The SideWinder APT group’s primary targets are in Southeast Asia regions such as Pakistan and Sri Lanka; however, government institutions in Pakistan still remain their main target of interest. The campaign investigated by Arctic Wolf in early March 2023 identified Turkey as a new target.

Conclusions

This report discussed the SideWinder group’s targeted attack carried out in early December 2022. The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics; specifically, in Turkey’s support of Pakistan and the ensuing reaction from India.

The Arctic Wolf Labs team is actively monitoring this threat group’s tooling and malicious files. All the files and network artifacts we identified in this campaign have been listed in the Appendix below for the benefit of defenders and cybersecurity professionals. We hope this data will help provide protection and prevention measures going forward.

APPENDIX

Indicators of Compromise (IOCs)

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.