###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 # A Global Perspective of the SideWinder APT ## Summary #### AT&T Alien Labs has investigated the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years. Our findings are primarily focused on activity since 2017, however the group has been reportedly operating since at least 2012. Alien Labs along with other security researchers have assessed with low to medium confidence that the group is operates in support of India political interests based on targets, campaign timelines, technical characteristics of command and control (C2) infrastructure and malware, association with other known India interest APTs, in addition to past cyber threat intelligence reporting and our private telemetry. SideWinder is a highly active adversary primarily making use of email spear phishing, document exploitation, and DLL Side Loading techniques to evade detection and to deliver targeted implants. The adversary activity remains at a consistent rate and AT&T Alien Labs recommends the deployment of detections and retrospective analysis of shared indicators of compromise (IOCs) for past undetected activity. In this report we are providing a timeline of known campaigns and their associated IOCs, in addition to a large number of campaigns/IOCs which have not been previously reported or publicly identified. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 ## Analysis Purpose & Resources #### AT&T Alien Labs authored this report to share information and improve the understanding and collection potential of SideWinder activity. The purpose of providing this report is to help defenders in retrospective analysis objectives, provide guidance to researchers with our own findings, and share a foundation of knowledge on a specific and unique threat actor for defender identification and future industry reporting. The primary resources AT&T Alien Labs used for this analysis includes private Alien Labs telemetry and intelligence, the Alien Labs Open Threat Exchange™ (OTX™), public file repositories and sandboxes (OTX, VirusTotal, Any.Run, MalShare), and multiple infrastructure analysis supporting tools (BinaryEdge, RiskIQ). Additionally, as can be found in the “Past Reporting Timeline” section, we have used publishings on SideWinder activity to help supplement the details of activity and identify noteworthy multinational patterns outside our own perspective and data. ## Past Reporting Timeline #### Below is a timeline of relevant and noteworthy publicly reported activity on the SideWinder APT group. Alien Labs has reviewed and tracked SideWinder with the help of the many sources referenced in this timeline. It is important to note; some past publications have contained errors we have retrospectively identified. A complete list of indicators (IOCs) from each publication can be found in Appendix C. This list has been curated and supplemented with our own findings. Additionally, we have provided secondary links through archive.org in order to provide past content archived and available to future readers if the publication from a source is no longer hosted online. It is important to note all sources, including the authors of this report, are limited to their own data, telemetry, and knowledge at the time of publication. ● April 12, 2018: The first public naming of the SideWinder APT group was from Kaspersky on April 12th 2018 [archived], in an APT Trends summary. According to the Kaspersky blog, SideWinder has been active since at least 2012 and has been potentially authored by an Indian company. Kaspersky also released a more detailed private intelligence report in the first quarter of 2018, according to their blog post. ● May 2, 2018: Tencent Security published a blog [archived] on SideWinder. In this blog, they name the actor “Rattlesnake” and “T-APT-04”. The blog shared an overview of the attack process using malicious documents as a delivery mechanism for a RAT (remote access trojan) install. ● July 16, 2018: Sebastien Larinier published [archived] an analysis of a SideWinder-linked malicious document. The analysis breaks down the exploit and infection process, which is related to activity previously reported by Tencent. ● July 31, 2018: Sebastien Larinier published a blog [archived] with a newly identified malicious document that makes use of a similar malicious document which generates a toolkit linked to previously SideWinder activity; however, in this case the malicious document was potentially associated with the Chinese adversary group “1973CN,” known for their Vietnam-focused campaigns [archived] in 2016. ● October 18, 2018: Sebastien Larinier also shared an update [archived] on a new infection process observed in a SideWinder malicious document. We excluded some of the IOCs in this report, as we assess with moderate confidence they are not related to SideWinder activity. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### ● February 5, 2019: Anomali first publicly reported [archived] on the shared rich text format (RTF) weaponizer used by multiple Chinese APT groups, with links to known SideWinder activity. This shared toolkit has since been primarily referred to as the “Royal Road” or “8.t” Weaponizer. Anomali presented various intriguing assessments, such as a potential shared exploit and weaponizer supply chain used between Goblin Panda, APT40, and ICEFOG (Chinese APTs) and then later with SideWinder (India APT). ● February 15, 2019: The Government of Pakistan’s NTISB issued a “prevention against cyber espionage advisory" (no. 3) [archived] which contains technical indicators related to a SideWinder campaign targeting Pakistan military organizations. The adversary was not identified in this report; however Alien Labs was able to attribute this activity to SideWinder. ● February 20, 2019: The Government of Pakistan’s NTISB issued an espionage advisory (no. 4) [archived] related to a SideWinder campaign against defense and intelligence organizations within Pakistan. The adversary was not identified in this report; however Alien Labs was able to attribute this activity to SideWinder. ● February 26, 2019: Tencent reported on SideWinder [archived] activity potentially targeting Pakistan government organizations, based on malicious document lures. ● April 1, 2019: The Government of Pakistan’s NTISB issued cyber espionage advisory no. 8 [archived] in which SideWinder masqueraded as the Ministry of Interior in a campaign against other Pakistan government organizations. The adversary was not identified in this report; however Alien Labs was able to attribute this activity to SideWinder. ● May 8, 2019: The Antiy CERT team published an analysis of SideWinder activity [archived] targeting Pakistan government officials of Pakistan. The analysis summarized findings of attack methods using English lures involving the military of China and Pakistan. ● September 6, 2019: Rising Network Security Technology company of Beijing, reported on a SideWinder campaign [archived] they discovered that targeted multiple embassies in China, in addition to an unnamed Chinese defense technology company foreign representative office. ● September 9, 2019: Tencent published an article on the summary of India/Pakistan attacks [archived], geopolitical context, and general actor overviews. ● October 4, 2019: SideWinder and its use of the Royal Road Weaponizer were further references in a joint Anomali and Proofpoint presentation at the annual Virus Bulletin conference (Slides [Archived]/Video). This presentation adds further clarification to a Feb. 5, 2019, blog by Anomali. The author's discussion on the Weaponizer lifecycle is a noteworthy detail to consider in the past relations of supply chain / relations between the various Chinese actors and SideWinder. ● October 18, 2019: Rising reported on more observed activity [archived] targeting additional government and defense organizations in China. ● October 29, 2019: Rising reported on a SideWinder campaign [archived] targeting military organizations of Pakistan. ● November 11, 2019: The Government of Pakistan’s NTISB issued advisory no. 22 [archived] detailing SideWinder as an Indian APT, in addition to sharing technical indicators and recommendations. This appears to be the first public attribution of SideWinder by the NTISB. ● January 1, 2020: Shadow Chaser Group published a 2019 summary report [archived] of SideWinder activity. ● January 6, 2020: Trend Micro first publicly reported [archived] on new SideWinder Android OS malware, potentially active since March 2019. The mobile apps were available on the Google Play ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### store and were mimicking camera and file management apps. The apps operated in a multi-stage infection process, using CVE-2019-2215 and resulting in a full compromise of victim devices. ● January 17, 2020: At the Japan Security Analyst Conference, SideWinder and its past use of Royal Road Weaponizer were detailed in the presentation titled “An Overhead View of the Royal Road” by Rintaro Noike and Shota Nakajima of nao_sec (Slides [archived]/Video). ● April 14, 2020: Tencent reported on SideWinder taking advantage of the of COVID-19 pandemic [archived] in a campaign against Pakistan military organizations. Some of the same details in the Tencent blog were also released in advisory no. 5 [archived] from the Government of Pakistan’s NTISB on the same day. ● May 20, 2020: RedDrip Team published an analysis [archived] on the SideWinder campaign against the Pakistan Government reported on April 14th. One noteworthy detail This report included one of the first public references to SideWinder operating phishing websites. ● July 12, 2020: the Shadow Chaser Group publicly shared details [archived] on a collection of more recent SideWinder activity, including an analysis of the infection process and potential Bangladesh and Chinese university targets. ● December 9, 2020: TrendMicro released a blog [archived] with a detailed analysis of SideWinder credential phishing websites and targets, in addition to identification of mobile applications potentially being built for future attacks. ## Targets #### The SideWinder APT has been targeting governments and businesses throughout South Asia and East Asia spanning many years. Specifically, there is a recurring effort of targeting military and government organizations. Primary targets of government and military targeting has been Pakistan, China, Nepal, Afghanistan. There were also many smaller operations observed targeting other nations in the region, such as Myanmar, Qatar, Sri Lanka, and Bangladesh. We assess with moderate confidence that various businesses operating in the national defense technology, scientific research, financial, energy, and mineral industries of the same nations were also targeted in SideWinder campaigns. Its critical to acknowledge that this is not the complete picture of the group’s operations, and they are likely conducting operations against other targets. Our assessment of the targets are based on infrastructure design/naming trends, government notifications, publicly available files unique to specific sources, phishing pages, previous public reporting, and Alien Labs private telemetry. ## Technical Campaign Details #### Initial Access SideWinder has been observed initiating attacks with spear phishing emails against their target organizations. Attacks are primarily delivering malicious attachments, but credential phishing has also been a technique used by the group. The December 2020 blog from Trend Micro does an excellent analysis of the phishing websites. Ultimately, these websites are used to collection credentials and occasionally deliver similar files to the attachments detailed below. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### Email lures and their attachments or links are often uniquely crafted to the target organization, which include content that the recipients would often expect to receive or benefit from reading. Since the group has primarily targeted government and military organizations, email lures are often related to political events and/or private documents generally considered standard for such organizations to receive. Figure 1 includes a screenshot of the complete content from an April 2019 campaign phishing email (SHA256: ``` be71f2d17037a1a1fbbe8d7f3f4b45c72132a64224e3d3f13aa66a2249df9232) with attachment (SHA256: ac4fd2681c3a9d087ff4cabb44b93753711e81c6574c837ca33f74fef37f3cf4). ###### Figure 1. SideWinder Phishing Email Screenshot captured via VirusTotal. #### Malicious attachments are the standard approach over the use of malicious links in phishing emails. Attachments have most commonly been RTF files, and less commonly DOCX, LNK, and ZIP files. Code Execution The RTF files continually use CVE-2017-11882 to exploit the target host and initiate the compromise. LNK files are used for code execution to download remote files from adversary-controlled infrastructure. ZIP files have been observed simply as a way to supply LNK files, potentially an attempt to evade automatic email filtering. One example of a ZIP to LNK delivery method was also detailed in the Government of Pakistan’s NTISB advisory No. 22 of November 2019. The ZIP file contained a malicious LNK file (SHA256: 61669c7e59036ae95a2886cf5a42a89633ff8c53cf75e7cb89e0be9f6d4030f4) which performs a remote download from paknavy.gov[.]pk.ap1-port[.]net/images/E7B62E1D/1182/2258/fc8fe2b4/692cd02 to ultimately download a malicious HTA file. ``` ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 Figure 2. Scan of NTISB November 2019 Advisory, via National University of Technology Pakistan. #### The HTA files themselves vary over the years, often evolving with each campaign in attempt to complicate analysis and detection capabilities. The HTA files generally have the same role in each campaign. This includes: 1. Act as the downloader to initialize the infection from the C2 server. a. Further HTA Downloads (multistage) or direct loader DLL download and execution. 2. Load encoded lure document (such as PDFs). a. Often a decoy document and shown to users while the attack is conducted without their knowledge. 3. Report unique host details to C2 server. a. Basic antivirus checks The scripts shift between being JavaScript, PowerShell, and VBScript. Additionally, the amount of code obfuscation and encoding within the script has increased over time. The scripts have also benefited from using versions of open source toolkits such as Koadic and StarFighters to maliciously deliver the final payload. Ultimately, the many unique implementations of the HTA file scripts lead to drop and execution of the loader through the DLL side loading technique. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### Trojan Analysis ##### DLL Side loading Execution Flow #### As part of its infection chain, SideWinder is using a technique called DLL Side Loading to load and execute its final implant payload on target machines. The malware is hijacking a clean file, by forcing a system program to load its malicious DLL rather than its original one. This approach allows the implant to reside only in memory of the victim machine, avoiding detection through generic file scans. ### 1. The script copies a clean system EXE file, which is often whitelisted from detection, to the malware #### directory. In the case with various SideWinder methods, this would be the legitimate rekeywiz.exe Windows OS application file (SHA256: ``` fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850 ### 2. Next the script sets its own DLL file name to the same as a clean file the application needs to load #### during execution, which in this example is "Duser.dll". It is then placed into the same folder as the clean application. 3. A configuration file is made for the system exe file to avoid conflicts with DLL file versions. (for example: "rekeywiz.exe.config") ###### Figure 3: Directory containing clean application of the copied “rekeywiz.exe”, the malicious DLL “Duser.dll”, and the configuration file to avoid version conflicts “rekeywiz.exe.conf”, captured via Alien Labs threat analysis. Figure 4: Content of “regkeywiz.exe.conf”’ to avoid version conflict when loading ‘Duser.dll’, captured via Alien Labs threat analysis. #### 4. The script will execute the clean EXE file, which will then load and execute its malicious DLL as if it were the original clean version, which itself decrypts and loads the final implant into memory. ###### Figure 5: Malicious “DUser.dll” loads upon “LoadLibrary” API function call of clean program, captured via Alien Labs threat analysis. ``` ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 ##### Malicious DLL Analysis #### Next, we can follow the execution of the new Duser.dll file through the DLL Side loading technique. Duser.dll is responsible for decrypting and executing the final payload into memory, which has been written as a randomly named temporary file (.tmp) on disk. This process is completed through the clean system application used for the side-loading technique, regkeywiz.exe. The Duser.dll does not contain malicious code by itself, but rather acts as a component to load the implant. ###### Figure 6: DLL reads the content of decrypted file ‘MpyutHk.tmp’ and execute it in the memory of the clean application “regkeywiz.exe”, captured via Alien Labs threat analysis. #### As mentioned, the content of the temporary file is the encrypted final and main payload of the infection process. The first 32 bytes are the decryption key for a XOR loop. The function below can be used to decrypt the file. ``` def decrypt(input_file, output_file): f = open(input_file, 'rb') data = f.read() f.close() file_length = len(data) - 32 xor_key = data[0:32] arr = bytearray(data[32:]) for i in range(file_length): arr[i] ^= xor_key[i % 32] f = open(output_file, 'wb') f.write(arr) f.close() ``` ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 ##### Final Implant #### As mentioned above, the implant is an encrypted temp file, which is initiated by the loader through the DLL side loading technique, decrypted, and then executed. The implant will save its configuration file in the original malware folder and decrypt it in memory. Similar to the previous DLL, the first 32 bytes are the decryption key in XOR loop. A decrypted configuration used by the implant, which includes the configuration file name, malware directory, C2 server, file extensions to collect and more, can be seen in Figure 7: ###### Figure 7: SideWinder Trojan Decrypted Configuration, captured via Alien Labs threat analysis. #### The full malware configuration parameters used are shown below in their declaration state. We can notice that in a switch statement if it does not have any C2, it will set one as default. Following execution, two timer functions are set. The first timer function is responsible for querying the C2 to get the new configuration needed for the malware and collect its associated information. After the first request, it will start processing the commands it received by following configuration settings: #### A decrypted configuration used by the implant, which includes the configuration file name, malware directory, C2 server, file extensions to collect and more, can be seen in Figure 7: ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 Figure 8: Sample of Configuration Settings, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### A complete list of available capabilities with added context: 1. Collect system information, and save it to file to be later upload to the C2 server. ###### Figure 9: System information collected, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 Figure 10: System information collected, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### 2. Collect drive information and directory files based on configuration. The malware can list files based on extension. ###### Figure 11: Drive and File Information, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### 3. Collect files and save to a temporary file to later deliver to the C2 server. ###### Figure 12: File Theft capability, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### 4. Update malware configuration with one received from the C2 server. ###### Figure 13: C2 Configuration Default Check, captured via Alien Labs threat analysis. #### The malware will collect information from the system, and save it as a JSON file on disk, and later will send it to the C2 server. ###### Figure 14: Json collected information file, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### The second callback function, is mainly responsible to upload files to the server, collected by the malware based on C2 configuration and request: ###### Figure 15: Upload Files Function, captured via Alien Labs threat analysis. #### To send data to the server, the malware makes an HTTP POST request, as shown below: ###### Figure 16: HTTP Post Request Configuration, captured via Alien Labs threat analysis. ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### SideWinder Relations and Shared Resources There are various links to other adversary groups observed during the investigation of SideWinder. AT&T Alien Labs assesses with moderate confidence there is a close relationship between the reported India- interest APT known as PatchWork and SideWinder. This relationship can be identified by an overlap in actor built C2 infrastructure. The October 2019 Android activity also presents an interesting anomaly for SideWinder introducing potential links to PatchWork attack techniques and infrastructure. Additionally, SideWinder was observed using a shared weaponizer toolkit. This shared toolkit has been primarily referred to as the “Royal Road” or “8.t” Weaponizer. As noted in past reporting, many intriguing links can be made to the various APT groups' use of it, such as Goblin Panda, APT40, and ICEFOG (Chinese actors) and then later with SideWinder (potentially India). Such a shared exploit and weaponizer toolkit provides a limited insight into the supply chain used between many APTs. From an analyst opinion, this may mean the supply chain could be a central, for-profit organization, or there are potentially deliberate sharing efforts between various state-sponsored organizations. Royal Road samples include: ``` 892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488 22062b6bcda194e3734285fed6b2de341c694c52a8f60c9f389f880cefab7644 9001056791a03ec998f26805d462bc2ca336b2c3aeac2e210f73ff841dfe3eec Lastly, the July 12, 2020, findings from the Shadow Chaser Group introduced a potential additional clue of links to a shared supply chain with the DarkHotel adversary group. Specifically, the unique variable declarations and specific parameters used in CVE-2020-0674 exploits are similar. ## Conclusion #### After extensive investigation on the adversary group known as SideWinder, AT&T Alien Labs continues to observe the group remaining highly active. SideWinder is targeting government and businesses in Asia with use of phishing campaigns built for their specific targets. Through our investigation, we have uncovered a collection of activity targeting government and business spanning many years. Alien Labs assesses with low to medium confidence, the group is in support of India political interests based on targets, campaign timelines, technical characteristics of C2 infrastructure and malware, association with known India based APTs, in addition to past industry reporting and private telemetry. We express gratitude to the many organizations and researchers for their public sharing of SideWinder activity and recommend readers to make use of our Past Reporting Timeline in their own analysis and conclusions. ``` ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 # Appendix A. Mapped to ATT&CK Framework #### • TA0043: Reconnaissance o T1589: Gather Victim Identity Information § T1589.002: Email Addresses § T1589.003: Employee Names o T1591: Gather Victim Org Information § T1591.002: Business Relationships § T1591.001: Determine Physical Locations § T1591.003: Identify Business Tempo § T1591.004: Identify Roles • TA0042: Resource Development o T1583: Acquire Infrastructure § T1583.001: Domains § T1583.004: Server • TA0001: Initial Access o T1566.001: Spearphishing Attachment o T1566.002: Spearphishing Link • TA0002: Execution o T1059: Command and Scripting Interpreter § T1059.007: JavaScript/Jscript § T1059.001: PowerShell § T1059.005: Visual Basic o T1203: Exploitation for Client Execution o T1204: User Execution § T1204.002: Malicious File § T1204.001: Malicious Link • TA0003: Persistence o T1574: Hijack Execution Flow § T1574.002: DLL Side-Loading o T1078: Valid Accounts • TA0004: Privilege Escalation o T1574: Hijack Execution Flow § T1574.002: DLL Side-Loading • TA0005: Defense Evasion o T1574: Hijack Execution Flow § T1574.002: DLL Side-Loading • TA0007: Discovery o T1087: Account Discovery § T1087.001: Local Account o T1083: File and Directory Discovery o T1120: Peripheral Device Discovery o T1069: Permission Groups Discovery o T1057: Process Discovery ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 #### o T1518: Software Discovery o T1082: System Information Discovery o T1007: System Service Discovery o T1124: System Time Discovery • TA0009: Collection o T1119: Automated Collection o T1602: Data from Configuration Repository § T1602.002: Network Device Configuration Dump o T1005: Data from Local System o T1039: Data from Network Shared Drive o T1025: Data from Removable Media o T1074: Data Staged § T1074.001: Local Data Staging • TA0011: Command and Control o T1071: Application Layer Protocol • TA0010: Exfiltration o T1020: Automated Exfiltration o T1041: Exfiltration Over C2 Channel ----- ###### Tom Hegel, AT&T Alien Labs Published: January 13[th] 2021 Intelligence current as of: December 11[th] 2020 # Appendix B. Detection Methods #### The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. #### SURICATA IDS SIGNATURES ``` alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"AV TROJAN APT SideWinder Malicious JS/Shellcode Inbound"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"