# SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey **[blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan](https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan)** The BlackBerry Research & Intelligence Team 1. [BlackBerry Blog](https://blogs.blackberry.com/en.html) 2. SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey ### Summary The BlackBerry Threat Research and Intelligence team has been actively tracking and [monitoring the SideWinder APT group, which has led to the discovery of their latest](https://malpedia.caad.fkie.fraunhofer.de/actor/razor_tiger) campaign targeting Pakistan government organizations. In this campaign, the SideWinder advanced persistent threat (APT) group used a serverbased polymorphism technique to deliver the next stage payload. ### Brief MITRE ATT&CK® Information ----- **Tactic** **Technique** Execution T1204.002, T1059.007, T1203, T1047 Defense Evasion T1480, T1221, T1027, T1140 Command and Control T1105, T1071.001 Discovery T1518.001 ### Weaponization and Technical Overview **Weapons** Obfuscated JavaScript, PE executable **Attack Vector** Weaponized document used for targeted attack **Network Infrastructure** DDNS **Targets** Pakistan Government organizations ### Technical Analysis **Context** The SideWinder APT group, also known as Razor Tiger, Rattlesnake, and T-APT-04, has been actively targeting Pakistan government organizations since at least 2012. [One of the oldest nation-state threat actors, SideWinder is believed to originate from India.](https://attack.mitre.org/groups/G0121/) Active since at least 2012, the group has been observed targeting military, government, and business entities, with a particular focus on Pakistan, Afghanistan, China, and Nepal. SideWinder primarily makes use of email spear-phishing, document exploitation, and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants. Through our threat hunting efforts, the BlackBerry Threat Research and Intelligence team discovered a new malware campaign by the SideWinder group. This campaign utilized a server-side polymorphism technique. The use of this technique allows the threat actor to ----- potentially bypass traditional signature-based antivirus (AV) detection to deliver the next stage payload. ### Attack Vector **MD5** **SHA256** **File** **Name** 666b2b178ce52e30be9e69de93cc60a9 cd09bf437f46210521ad5c21891414f236e29aa6869906820c7c9dc2b565d8be GUIDELINES FOR JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).docx **File Size** 12.81 KB (13115 bytes) **Created** 2022-11-30 04:52:00 UTC **Author** Windows User **Last** **Modified** **Last** **Modified** **by** 2022-11-30T05:44:00Z Windows User ### What is Server-Side Polymorphism? [Server-side polymorphism is a technique used by threat actors and other distributors of](https://www.csoonline.com/article/2633048/stopping-malware-that-mutates-on-demand.html) malware to attempt to evade detection by antivirus scanners. Polymorphic (literally “many shapes”) malware is malicious code that alters its appearance through encryption and obfuscation, making sure that no two samples look the same. It is hard for traditional or legacy AV software based on signatures to catch this type of malware, because the transformation code is not visible for security analysis. Although futuristic-sounding, it’s actually an older technique that has been used by threat actors since the early 1990s. ### Campaign Analysis The SideWinder APT group’s new campaign leveraging server-side polymorphism to deliver the next stage payload began in late November 2022. The malicious documents used in this campaign were created to target Pakistan government officials. The documents were designed to trick Pakistan officials by displaying convincing content relevant to their interests. ----- During the investigation, the BlackBerry Threat Research and Intelligence team analyzed the documents used by the threat group to identify various artefacts used in this campaign to potentially locate other files of interest. The first malicious lure we examined was a document titled “GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)”. ----- _Figure 1: Malicious lure document targeting Pakistan officials_ **MD5** **SHA256** 3b853ae547346befe5f3d06290635cf6 bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f **File Name** PK_P_GAA_A1_Offerred.docx **File Size** 36.35 KB (37220 bytes) **Created** 2022-12-06 05:24:37 UTC **Author** Windows User **Last** **Modified** **Last** **Modified** **by** 2022-12-06T05:24:37Z Windows User Another malicious document that was used in early December 2022 was titled “PK_P_GAA_A1_Offerred.docx”. In this instance, the document was eight pages in length and pretended to be a letter of offer and acceptance “for the purchase of defense articles, defense services, or both.” ----- _Figure 2: First malicious lure sent by the SideWinder APT group_ Notably, none of the documents used an embedded malicious macro code to deliver the next [stage payload; instead, the threat group exploited the CVE-2017-0199 vulnerability (remote](https://nvd.nist.gov/vuln/detail/cve-2017-0199) template injection). The “GUIDELINES FOR JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).doc“ malicious lure template was instructed to reach out to the remote address of “hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf”. The “pnwc[.]bol-north[.]com” domain in this instance resolves to the IP address 5.230.73[.]106. ----- _Figure 3: The URL for the next stage download_ The “PK_P_GAA_A1_Offerred.docx” malicious lure template was instructed to reach out to the remote address of “hxxps[:]//paknavy-govpkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf” to download the next stage. The “paknavy-gov-pk[.]downld[.]net” domain resolves to the IP address 185.205.187[.]234. _Figure 4: URL for next stage download_ During the time when the malicious server was active, this threat group had set their servers in a way that if the user/victim enters part of the malicious URL into their browser, they will be redirected to the legitimate Pakistan Navy home page, which is hxxps[:]//www[.]paknavy[.]gov[.]pk. It is important to note that the malicious server is no longer active. _Figure 5: Legitimate Pakistan Navy website. The victim is redirected to this site from a_ _malicious page._ ----- In early March, we discovered a new document that was also spread through phishing emails. The peculiarity of this OLE document was that it contained the address of the connection to the malicious server, which was also configured to connect to victims from Turkey. **MD5** **SHA256** **File** **Name** b7e63b7247be18cdfb36c1f3200c1dba 8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad Product.docx **File Size** 579.69 KB (593604 bytes) **Created** 2023-03-07 13:54:00 UTC **Author** user **Last** **Modified** **Last** **Modified** **by** 2023-03-07T13:56:00Z user ### Weaponization The next stage payload “file.rtf”, a rich text document file, can only be downloaded by users in the Pakistani IP range. It is important to note that in both instances, only the name of the file “file.rtf” and the file type are the same; however, the contents, file size and the file hash are different. This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection). If the user is not in the Pakistani IP range, the server returns an 8-byte RTF file (file.rtf) that contains a single string: {\rtf1 }. However, if the user is within the Pakistani IP range, the server then returns the RTF payload, which varies between 406KB – 414KB in size. ----- _Figure 6: "file.rtf" malicious payload_ ### Loader Having listed the existing objects in the “file.rtf” file that was obtained from “paknavy-govpk[.]downld[.]net” domain, the “1.a” object was extracted for further analysis. _Figure 7: "1.a" object overview_ During the malware execution chain, this object is saved under the “C:\Users\user\AppData\Local\Temp\1.a” location on the victim’s machine. The “1.a” file is an obfuscated JavaScript. ----- _Figure 8: De-obfuscated strings_ There are two things that stand out from our analysis – the base64 encoded data blob, and two URLs. The base64 data blob decodes to Win32 DLL(App.dll), and the two URLs are used for further communications with the threat actor. _Figure 9: URLs used for further communications with SideWinder_ ### Agent The previously mentioned base64 encoded data blob is a .NET compiled Win32 DLL called “App.dll”. **Hashes (md5,** **sha-256)** 8934f22ed2d4390f2e6170e4cfdbd483 8b718a15f76768ba29849a5f4a6ca0ff1d9c8ba7bcdc9d89efc792fe20e9fdb5 **ITW File Name** App.dll ----- **Compilation** **Stamp** **File** **Type/Signature** Fri Nov 16 02:26:21 2074 DLL **File Size** 139339 (bytes) **Compiler** **Name/Version** Microsoft Visual C# / Basic .NET To further avoid static signature-based detection, the “App.dll” file is obfuscated in the same way as the majority of other files and scripts uncovered in this campaign. _Figure 10: "App.dll" file_ The “App.dll” file is launched by earlier stage JavaScript code. The JavaScript deserializes the .NET binary and passes a URL to the executable's “Work()” function. This function makes a request to the URL and attempts to decrypt and then execute the response. In other words, the .NET executable can retrieve the next stage code and execute it. ### Network Infrastructure ----- SideWinder s campaign command-and-control (C2) infrastructure is only live for short periods of time. Non-Pakistani IP responses from the systems hosting RTF files have been identical since at least January 2021, with an 8-byte file with {\rtf1 } as the content. Following [the relationships in VirusTotal shows the distribution infrastructure and the longevity of similar](https://www.virustotal.com/gui/file/1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a/relations) campaigns. 28 domains have been seen in the wild hosting this empty RTF file, all with similar URLs used for hosting. For these campaigns, SideWinder also uses predictable URL structures when hosting their malicious files: First stage - */2/0/0/*/files-*/(hta|file.rtf) Second stage - */3/1/1/*/files-*/ The longevity of these tactics, techniques, and procedures (TTPs) – nearly 2 years – gives us confidence that they can be utilized for the detection of future campaigns. In mid-March 2023, we discovered a new configured server delivering the payload. This server was different in that it was configured so that a victim in Turkey could receive a second-stage payload. This shows that this threat actor is also now targeting organizations in Turkey. ### Targets The SideWinder group’s main target remains Pakistan government organizations. The campaign investigated by BlackBerry in early March 2023 identified Turkey as a new target. ### Attribution ----- The SideWinder APT group s primary targets are in Southeast Asia regions such as Pakistan and Sri Lanka; however, government institutions in Pakistan still remain their main target of interest. ### Conclusions This report discussed the SideWinder group’s targeted attack carried out in early December 2022. The latest SideWinder campaign targeting Turkey overlaps with the most recent [developments in geopolitics; specifically, in Turkey’s](http://www.indiandefencereview.com/news/india-responds-to-turkey-in-trouble-proactive-diplomacy-at-its-best/) [support of Pakistan and the ensuing](https://moderndiplomacy.eu/2023/03/26/breaking-diplomatic-norms-indian-response-to-oic-turkish-support-for-kashmir-issue/) [reaction from India.](https://www.hindustantimes.com/videos/news/turkey-not-our-friend-indian-twitter-fumes-after-erdogan-govt-targets-india-over-kashmir-101678213742252.html) The BlackBerry Threat Research and Intelligence team is actively monitoring this threat group’s tooling and malicious files. All the files and network artefacts we identified in this campaign have been listed in the Appendix below for the benefit of defenders and cybersecurity professionals. We hope this data will help provide protection and prevention measures going forward. ### APPENDIX 1 – Indicators of Compromise (IoCs) **Indicator** **Type** **Indicator** **MD5** b7e63b7247be18cdfb36c1f3200c1dba **SHA256** 8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad **MD5** 5efddbdcf40ba01f1571140bad72dccb **SHA256** a45258389a3c0d4615f3414472c390a0aabe77315663398ebdea270b59b82a5c **MD5** 3b853ae547346befe5f3d06290635cf6 **SHA256** bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f **MD5** 666b2b178ce52e30be9e69de93cc60a9 **SHA256** cd09bf437f46210521ad5c21891414f236e29aa6869906820c7c9dc2b565d8be ----- **MD5** ef00004a1ebc262ffe0fb89aa5524d42 **SHA256** a3283520e04d7343ce9884948c5d23423499fa61cee332a006db73e2b98d08c3 **MD5** 6c7d24b90f3c6b4383bd7d08374a0c6f **SHA256** 4db0a2d4d011f43952615ece8734ca4fc889e7ec958acd803a6c68b3e0f94eea **MD5** 73750f08265bbe80c3f235318bcef6fe **SHA256** bc3c6f9d51e2bdb37e03b01e2949f72836ecee4230e2320c5dc33a83b55b062f **MD5** 16341fcff1bc7388387fd17b4b3a7a50 cf1f4ec1d7db6cf1fe8e15687b348a279889689fa9c387de4a2c310c34336f9f **MD5** 1c62441de076eb5a5b2e1f8146767777 **SHA256** 75079e408ca9517825ffac396680a2d2169d691be3f1adbbd797e05e665c6fde **MD5** dacdb33b6e9de4c1fe8591bb5a65c55c **SHA256** cde768a4cf95e58f0e98e2bcca0663fd2c1a36510f6010065b4f54169a92e207 **MD5** 709e6a64735432c25cafb89951cc149c **SHA256** a2a9fd1db7f1dc196fa8af0669ea72d1f8ae48bf4775108ee746e0f83c5a7498 **URL** hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files75dc2b1e/file[.]rtf **URL** hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf **IP** 185.205.187[.]234 **IP** 5.230.73[.]106 ----- **URL** https[:]//cstc-spares-vip-163.dowmload[.]net/14668/1/1228/2/0/0/0/m/files403a1120/file[.]rtf **URL** https[:]//mtss.bol-south[.]org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file[.]rtf **URL** https[:]//paknavy-gov-pk[.]downld[.]net/14578/1/6277/2/0/0/0/m/files75dc2b1e/file[.]rtf **URL** hxxts[:]//paknavy-gov-pk[.]downld[.]net/14578/1/6277/2/0/0/0/m/files75dc2b1e/file[.]rtf **URL** hxxts[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf **URL** hxxts[:]//sl-navy[.]office-drive[.]live/45/1/334/2/0/0/0/m/files-fe9dade2/file[.]rtf **URL** hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5041/2/0/0/0/m/filesdd96433f/file[.]rtf **URL** https[:]//forecast[.]comsats-net[.]com/5760/1/5039/2/0/0/0/m/filesd7c7dda1/file[.]rtf **URL** hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5035/2/0/0/0/m/files4a0480ae/file[.]rtf **URL** hxxts[:]//moma[.]comsats-net[.]com/5753/1/4375/2/0/0/0/m/files8062311a/file[.]rtf **URL** hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5040/2/0/0/0/m/filesf3b20b30/file[.]rtf **URL** hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5036/2/0/0/0/m/files2ad09cbd/file[.]rtf **URL** hxxts[:]//moma[.]comsats-net[.]com/5753/1/4371/2/0/0/0/m/filesb62d382f/file[.]rtf **URL** hxxts[:]//srilanka-navy[.]lforvk[.]com/135/1/334/2/0/0/0/m/files-4fdaf6c7/file[.]rtf ----- **URL** hxxts[:]//promotionlist[.]comsats-net[.]com/5756/1/8887/2/0/0/0/m/files3d1dff0f/file[.]rtf **URL** hxxts[:]//dgms[.]paknavy-gov[.]com/5733/1/5051/2/0/0/0/m/files73bdca4d/file[.]rtf **URL** hxxts[:]//mofadividion[.]ptcl-gov[.]com/5724/1/3268/2/0/0/0/m/files11e30891/file[.]rtf **URL** hxxts[:]//ksew[.]kpt-gov[.]org/5663/1/3275/2/0/0/0/m/files-937950ad/file[.]rtf **URL** hxxts[:]//ministryofforeignaffairs-mofa-govpk[.]dytt88[.]org/14444/1/2454/2/0/0/0/m/files-9ba90b7f/file[.]rtf **URL** hxxt[:]//bdmil[.]alit[.]live/3398/1/50073/2/0/0/0/m/files-ac995f17/file[.]rtf **URL** hxxt[:]//navy-mil-bd[.]jmicc[.]xyz/5625/1/8145/2/0/0/0/m/files-b11074b7/file[.]rtf **URL** hxxts[:]//navy-mil-bd[.]jmicc[.]xyz/5625/1/8145/2/0/0/0/m/files-b11074b7/file[.]rtf **URL** hxxts[:]//paknavy[.]jmicc[.]xyz/5627/1/4367/2/0/0/0/m/files-9e0912cc/file[.]rtf **URL** hxxt[:]//bdmil[.]alit[.]live/3398/1/54346/2/0/0/0/m/files-491dc489/file[.]rtf **URL** hxxts[:]//paknavy[.]comsats[.]xyz/5552/1/5037/2/0/0/0/m/files-1b5c7556/file[.]rtf **URL** hxxts[:]//mofa-gov[.]interior-pk[.]org/14419/1/6/2/0/0/0/m/files-07b01f9b/file[.]rtf **URL** hxxt[:]//mofa-gov[.]interior-pk[.]org/14419/1/6/2/0/0/0/m/files-07b01f9b/file[.]rtf **URL** hxxts[:]//paknavy[.]paknavy[.]live/5516/1/4367/2/0/0/0/m/files-db71f6b3/file[.]rtf **URL** hxxts[:]//mofabn[.]ksewpk[.]com/5511/1/4993/2/0/0/0/m/files-18e5db65/file[.]rtf **URL** hxxt[:]//srilankanavy[.]ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file[.]rtf **URL** hxxts[:]//srilankanavy[.]ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file[.]rtf ----- **URL** hxxt[:]//maritimepakistan[.]kpt-pk[.]net/5434/1/3694/2/0/0/0/m/filesce32ed85/file[.]rtf **URL** hxxts[:]//maritimepakistan[.]kpt-pk[.]net/5434/1/3694/2/0/0/0/m/filesce32ed85/file[.]rtf **URL** hxxt[:]//dgmp-paknavy[.]mod-pk[.]com/14325/1/10/2/0/0/0/m/files5291bef6/file[.]rtf **URL** hxxts[:]//dgmp-paknavy[.]mod-pk[.]com/14325/1/10/2/0/0/0/m/files5291bef6/file[.]rtf **URL** hxxt[:]//dgpr[.]paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file[.]rtf **URL** hxxts[:]//cabinet-gov-pk[.]ministry-pk[.]net/14300/1/1273/2/0/0/0/m/files68ebf815/file[.]rtf **URL** hxxts[:]//dgpr[.]paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file[.]rtf **URL** hxxts[:]//careitservices[.]paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files266ad911/file[.]rtf **URL** hxxts[:]//defencelk[.]cvix[.]live/3023/1/54082/2/0/0/0/m/files-0c31ed2d/file[.]rtf **URL** hxxt[:]//mohgovsg[.]bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files1ddf5195/file[.]rtf **URL** hxxts[:]//mohgovsg[.]bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files1ddf5195/file[.]rtf **URL** hxxts[:]//sppc[.]moma-pk[.]org/5281/1/4265/2/0/0/0/m/files-d2608a99/file[.]rtf **URL** hxxps[:]//mailrta.mfagov[.]org/3818/1/53382/2/0/0/0/m/files-c78a6966/file[.]rtf **URL** http[:]//mailnavybd.govpk[.]net/5845/1/12/2/0/0/0/m/files-ca78574e/file[.]rtf **URL** hxxts[:]//mailaplf[.]cvix[.]live/2968/1/50390/2/0/0/0/m/files-7630e91a/file[.]rtf ----- **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5775/2/0/0/0/m/files-fca3cc50/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5780/2/0/0/0/m/files-20bba5af/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5795/2/0/0/0/m/files-c9dddc54/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5797/2/0/0/0/m/files-875e140b/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5771/2/0/0/0/m/files-5995311a/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5784/2/0/0/0/m/files-94153639/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5770/2/0/0/0/m/files-2d21c32e/file[.]rtf **URL** hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5778/2/0/0/0/m/files-27d5c7d3/file[.]rtf **URL** hxxt[:]//mailnavymilbd[.]govpk[.]net/5848/1/13/2/0/0/0/m/files-57d837e4/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5792/2/0/0/0/m/files-da7756e4/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5776/2/0/0/0/m/files-175c56e7/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5783/2/0/0/0/m/files-a26663eb/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5780/2/0/0/0/m/files-20bba5af/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5785/2/0/0/0/m/files-76f11745/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5788/2/0/0/0/m/files-3acec3be/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5782/2/0/0/0/m/files-78d7e141/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5796/2/0/0/0/m/files-97e02960/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5795/2/0/0/0/m/files-c9dddc54/file[.]rtf ----- **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5790/2/0/0/0/m/files-a3d0041a/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5773/2/0/0/0/m/files-5a31d681/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5799/2/0/0/0/m/files-03dd18bd/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5781/2/0/0/0/m/files-62caea91/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5804/2/0/0/0/m/files-c43dece3/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5794/2/0/0/0/m/files-60cb1621/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5775/2/0/0/0/m/files-fca3cc50/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5778/2/0/0/0/m/files-27d5c7d3/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5787/2/0/0/0/m/files-fb528413/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5786/2/0/0/0/m/files-5def1d52/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5798/2/0/0/0/m/files-c3178f3d/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5779/2/0/0/0/m/files-2f2e186d/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5789/2/0/0/0/m/files-8822f8ff/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5777/2/0/0/0/m/files-7f2e758b/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5791/2/0/0/0/m/files-bda6f896/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5769/2/0/0/0/m/files-2f6b9c9a/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5774/2/0/0/0/m/files-12eca223/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5772/2/0/0/0/m/files-84c4942a/file[.]rtf ----- **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5771/2/0/0/0/m/files-5995311a/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5797/2/0/0/0/m/files-875e140b/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5784/2/0/0/0/m/files-94153639/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5770/2/0/0/0/m/files-2d21c32e/file[.]rtf **URL** hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5793/2/0/0/0/m/files-f2d0617e/file[.]rtf **URL** hxxts[:]//mailrta[.]mfagov[.]org/3818/1/53382/2/0/0/0/m/files-c78a6966/file[.]rtf **URL** hxxt[:]//promotionlist[.]comsats-net[.]com/5756/1/8887/2/0/0/0/m/files3d1dff0f/file[.]rtf **URL** hxxts[:]//mailnavymilbd[.]govpk[.]net/5848/1/13/2/0/0/0/m/files-57d837e4/file[.]rtf **URL** hxxt[:]//mailnavybd[.]govpk[.]net/5845/1/12/2/0/0/0/m/files-ca78574e/file[.]rtf **Domain** slpa.mod-gov[.]org **IP** 62.113.255[.]80 **Domain** mailrta.mfagov[.]org **IP** 194.61.121[.]216 **Domain** promotionlist.comsats-net[.]com **IP** 5.255.104[.]32 **Domain** mailnavybd.govpk[.]net **IP** 5.255.112[.]194 **Domain** mailnavymilbd.govpk[.]net ----- ### APPENDIX 2 – Applied Countermeasures **YARA Rules** Available upon request (see below). **Suricata Rules** Available upon request (see below). **_Disclaimer: The private version of this report is available upon request. It includes but is not_** _limited to the complete and contextual MITRE ATT&CK® mapping, MITRE D3FEND™_ _countermeasures, Attack Flow by MITRE, and other threat detection content for tooling,_ _network traffic, complete IOCs list, and system behavior. Please email us at_ _cti@blackberry.com for more information._ ## About The BlackBerry Research & Intelligence Team The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve. Back -----