|Business|For Home| |---|---|  Contact Us #  [Business](https://www.trendmicro.com/en_us/business.html) [For Home](https://www.trendmicro.com/en_us/forHome.html) **APT & Targeted Attacks** # SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks While tracking the activities of the SideWinder group, we identi�ed a server used to deliver a malicious LNK �le and host multiple credential phishing pages. In addition, we also found multiple Android APK �les on their phishing server. By: Joseph C Chen, Jaromir Horejsi, Ecular Xu December 09, 2020 ### Authors **Joseph C Chen** Threat Researcher **Jaromir Horejsi** Threat Researcher **Ecular Xu** Mobile Threats Analyst ## While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identi�ed a server used to deliver a malicious LNK �le and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modi�ed for phishing. We believe further activities are propagated via spear-phishing attacks. The group’s targets include multiple government and military units, mainly in Nepal and Afghanistan. After the gathered credentials are sent, some of the phishing pages will redirect victims to di�erent documents or news pages. The themes and topics of these pages and documents are related to either Covid 19 or recent territory disputes between Nepal, Pakistan, India, and China. Furthermore, it seems that these lures are distributed via phishing links. ### Related Articles Who is the Threat Actor [Behind Operation Earth](https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html) Kitsune? Overview of Recent [Sunburst Targeted](https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html) Attacks Egregor Ransomware Launches String of High-Pro�le Attacks to End 2020 ### Contact Us ----- ## We also found multiple Android APK �les on their phishing server. While some of them are benign, we also discovered malicious �les created with Metasploit. One of the normal applications, called “OpinionPoll,” is a survey app for gathering opinions regarding the Nepal-India political map dispute, which seems to be another political lure similar to the one they used in the spear phishing portion. We believe these applications are still under development and will likely be used to compromise mobile devices in the future. SideWinder has been very active in 2020. Earlier this year, we published a report on how the SideWinder APT group used the Binder exploit to attack mobile devices. The group also launched attacks against Pakistan, Bangladesh, and China using lure �les related to Covid-19. Analysis of the malicious document The use of malicious documents is one of SideWinder’s most common infection vectors. We collected several di�erent samples from the campaign, including: 1. An LNK �le that downloads an RTF �le and drops a JavaScript �le 2. A ZIP �le containing an LNK �le, which downloads an HTA �le (with JavaScript) 3. An RTF �le that drops a JavaScript �le 4. A PDF �le with an embedded JavaScript stream 5. A DOCX �le with an external link to an OLE object (RTF �le), which contains and drops a JavaScript �le **[Archives ](https://www.trendmicro.com/content/trendmicro/en_us/research/09/archive)** ----- Figure 1. An example of a downloaded ZIP �le containing an LNK �le that is used to download a malicious HTA �le ## All of these cases end up with either the downloading or dropping of �les and then the execution of JavaScript code, which is a dropper used to install the main backdoor + stealer. The downloaded RTF �les exploit the CVE-2017-11882 vulnerability. It drops a �le named 1.a (a JavaScript code), which drops the backdoor + stealer into a folder in ProgramData and directly executes it or creates a scheduled task to execute the dropped �les at a later time. Figure 2. A scheduled task with a command to execute the dropped backdoor + stealer ## The content of the newly created folder contains a few �les, including Rekeywiz (EFS REKEY wizard, FA86B5BC5343CA92C235304B8DCBCF4188C6BE7D4621C625564BEBD5326E D850), which is a legitimate Windows application. ----- Figure 3. List of dropped �les ## This application loads various system DLL libraries, including shell32.dll, which sideloads DUser.dll, one of shell32’s DelayImports. Figure 4. DUser library as DelayImport of shell32 library ## However, a fake DUser.dll gets loaded into the process. This fake DLL library decrypts the main backdoor + stealer from the .tmp �le in the same directory. Figure 5. Algorithm for decrypting both main backdoor + stealer and con�guration ## The decryption process is a simple XOR, where the key is the �rst 32 bytes from the encrypted �le and the payload are the remaining bytes. The decrypted payload is the main backdoor .NET executable binary. ----- Figure 6. Decrypted main SystemApp with listing its classes and resources ## In Resources, the Default resource contains the encrypted con�guration. After decryption (using the same principle as with the main backdoor + stealer), the con�guration reveals which �le formats the attackers are targeting. Figure 7. The decrypted con�guration ## The main functions of the backdoor + stealer are: 1) Downloading the .NET executable and running it 2) Collecting system information and uploading it to the command-and-control (C&C) server 3) Uploading selected �les to the C&C server ----- ## The collected information is in JSON format (hence why the Newtonsoft_Json library stored in Resources is loaded) and includes information such as privileges, user accounts, computer system information, antivirus programs, running processes, processor information, operating system information, timezone, installed Windows updates, network information, list of directories in Users\%USERNAME%\Desktop, Users\%USERNAME%\Downloads, Users\%USERNAME%\Documents, Users\%USERNAME%\Contacts, as well as information on all drives and installed apps. The spear-phishing attack We found several interesting dynamic DNS domains resolving to a server that was used to deliver SideWinder’s malicious documents. The subdomains of these dynamic DNS domains are designed to be similar to the domains of their victims’ mail servers. For example, “mail-nepalgovnp[.]duckdns[.]org” was created to pretend to be the original Nepal government’s domain “mail[.]nepal[.]gov[.]np”. Digging deeper, we found that it hosted several phishing pages. These pages were copied from the webmail servers of various targets and then modi�ed for spear-phishing attacks designed to steal login credentials. Although it’s not clear to us how these phishing pages are delivered to the victims, �nding the original webmail servers that they copied to make these phishing pages allows us to identify who they were targeting. Analysis of the phishing pages revealed that most of them would redirect to the original webmail servers, which they copied after the victims sent out their login credentials. However, we also found some of them will either redirect to documents or news pages. These documents and news are probably interesting in some way to their targets and are used to make them click and log in to the phishing pages. While several of the documents are related to ----- ## Covid-19, we also found some documents or news related to territorial issues in South Asia, including:    **“India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh” – a news article** **[that discusses India-China con�icts in May.](https://www.bbc.co.uk/news/world-asia-52852509)** **[“India reaction after new pak map.pdf” – a document talking about India’s response to the](https://www.deccanchronicle.com/nation/politics/040820/india-rejects-pakistans-new-political-map.html)** **new political map revealed by Pakistan in August.** **“Ambassador Yanchi Conversation with Nepali_Media.pdf” – a document describing an interview** **with China's ambassador to Nepal regarding Covid-19, the Belt and Road Initiative, and** **[territorial issues in the Humla district.](https://kathmandupost.com/national/2020/09/23/a-missing-border-pillar-in-humla-creates-row-between-nepal-and-china)** ## The following table shows their targets, related phishing domains, and lure documents used in each of the phishing attacks. |Date|Phishing Domain|Targeted Organization|Targeted Mail server|Redirection after login| |---|---|---|---|---| |2019 Nov||Government of Nepal|mail.nepal.gov. np|Redirect to Õle “IMG_0002.pdf”| |2019 Nov||Ministry of Defence, Nepal|mail.mod.gov. np|Redirect to original mail server| 2019 Dec mail mofagovnp.zapto[.]org Ministry of Foreign A�airs, Nepal mail.mofa.gov. np Redirect to web news “China, Nepal sign trade, infrastructure and security deals” ----- |2019 Dec|Col2|Government of Nepal|mail.nepal.gov. np|Redirect to Õle “c onsultation_152 3857630.pdf”| |---|---|---|---|---| |2020 Jan|imail.aop.gov-af[.]org|Administrative OÞce of the President, Afghanistan|imail.aop.gov.a f|Redirect to web page “O bservation Of Technology Use in Afghanistan Government Sector”| |2020 Jan|mail-nscaf.myftp[.]org|Afghanistan National Security Council|mail.nsc.gov.af|Redirect to https://wikipedia. org/USB_Killer| |2020 Jan|mail- nepalarmymilnp.duckdn s[.]org|Nepali Army|mail.nepalarm y.mil.np|Redirect to PDF “E N Digital Nepal Framework V8.4 15 July 2019.pdf”| 2020 Jan mail mofagovnp.hopto[.]org Ministry of Foreign A�airs, Nepal mail.mofa.gov. np Redirect to PDF “ national-security vol-3-issue-1 ----- |2020 Jan|webmail.mohe.gov- af[.]org|Ministry of Higher Education, Afghanistan|webmail.mohe .gov.af|Redirect to original mail server| |---|---|---|---|---| |2020 Feb||Ministry of Defense, Sri Lanka|mail.defence.lk|Login Error| |2020 Feb|mail.moha.gov-np[.]org|Ministry of Home Aàairs, Nepal|mail.moha.gov .np|Redirect to original mail server| |2020 Feb|mail.nsc.gov-af[.]org|Afghanistan National Security Council|mail.nsc.gov.af|Redirect to original mail server| |2020 Feb|mail.arg.gov-af[.]org|Presidential Palace, Afghanistan|mail.arg.gov.af|Redirect to original mail server| 2020 Feb mail.arg.gov-af[.]org Presidential Palace, Afghanistan essay SSimkhada.pdf” webmail.mohe Redirect to .gov.af original mail server mail.defence.lk Login Error mail.moha.gov Redirect to .np original mail server mail.nsc.gov.af Redirect to original mail server mail.arg.gov.af Redirect to original mail server mail.arg.gov.af Redirect to original mail server ----- |2020 Feb|Col2|Center for Education and Human Resource Development, Nepal|mail.doe.gov.n p|Redirect to Õle “Para Basic Course Joining Instruction.docx”| |---|---|---|---|---| |2020 Mar|mail- nepalgovnp.duckdns[.]o rg|Government of Nepal|mail.nepal.gov. np|Redirect to original mail server| |2020 Mar||Nepal Electricity Authority|mail.nea.org.n p|Redirect to original mail server| |2020 Mar|mail- nepalgovnp.duckdns[.]o rg|Government of Nepal|mail.nepal.gov. np|Redirect to Õle “central data form.pdf”| |2020 Mar|mail- nepalarmymilnp.duckdn s[.]org|Nepali Army|mail.nepalarm y.mil.np|Redirect to Õle “Corona Virus Preparedness and Response.pdf”| 2020 mail- Nepal Police mail.nepalpolic Redirect to �le ----- Mar nepalpolicegov.hopto[.] org e.gov.np “1987 Conducting training on COVID-19 and keeping it in readiness.pdf” |2020 Apr|mail-nrborg.hopto[.]org|Nepal Rastra Bank|mail.nrb.gov.n p|Redirect to Õle ”Õu.pdf”| |---|---|---|---|---| |2020 May|mail- nepalarmymilnp.duckdn s[.]org|Nepali Army|mail.nepalarm y.mil.np|Redirect to web news “India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh”| |2020 Jun|mail- nepalarmymilnp.duckdn s[.]org|Nepali Army|mail.nepalarm y.mil.np|Showing login failed message| |2020 Jul||Qatar Charity|mail.qcharity.o rg|Redirect to original mail server| ----- 2020 Jul 2020 Aug 2020 Aug 2020 Sep 2020 Sep 2020 Sep Myanma Posts and Telecommunicatio ns mail- Nepal Communist ncporgnp.hopto[.]org Party mail-nscaf.myftp[.]org Afghanistan National Security Council mail mofgovnp.hopto[.]org Ministry of Finance, Nepal mail- Nepal Communist ncporgnp.hopto[.]org Party imail.aop.gov-af[.]org Administrative O�ce of the webmail.mpt.n et.mm mail.ncp.org.n p mail.nsc.gov.af mail.mof.gov.n p mail.ncp.org.n p imail.aop.gov.a f Redirect to original mail server Redirect to �le “India reaction after new pak map.pdf” Redirect to 10[.]77[.]17[.]10/S oftware/03 Applications Redirect to �le “1987 Covid.pdf” Redirect to document “ The spectre of a new Maoist con�ict in Nepal” Redirect to �le “SOP of Military |2020 Aug|mail- ncporgnp.hopto[.]org|Nepal Communist Party|mail.ncp.org.n p|Redirect to Õle “India reaction after new pak map.pdf”| |---|---|---|---|---| |2020 Aug|mail-nscaf.myftp[.]org|Afghanistan National Security Council|mail.nsc.gov.af|Redirect to 10[.]77[.]17[.]10/S oftware/03- Applications| |2020 Sep|mail- mofgovnp.hopto[.]org|Ministry of Finance, Nepal|mail.mof.gov.n p|Redirect to Õle “1987 Covid.pdf”| |2020 Sep|mail- ncporgnp.hopto[.]org|Nepal Communist Party|mail.ncp.org.n p|Redirect to document “T he spectre of a new Maoist conÖict in Nepal”| ----- President, Afghanistan Uniform .pdf” |2020 Oct|mail- nepalpolicegovnp.duck dns[.]org|Nepal Police|mail.nepalpolic e.gov.np|Redirect to Õle “2077-07-03 1239 Regarding investigation and action.pdf”| |---|---|---|---|---| |2020 Oct||Civil Aviation Authority of Nepal|mail.caanepal. gov.np|Redirect to original mail server| |2020 Oct|mail- apfgovnp.ddns[.]net mail- apfgavnp.hopto[.]org|Armed Police Force, Nepal|mail.apf.gov.n p|Redirect to original mail server| |2020 Oct|mail-nscaf.myftp[.]org|Afghanistan National Security Council|mail.nsc.gov.af|Redirect to Õle “IT Services Request Form.pdf”| |2020 Nov|mail- ntcnetnp.serveftp[.]com|Nepal Telecom|webmail.ntc.n et.np|Redirect to original mail server| ----- |2020 Nov|mail-kmgcom.ddns[.]net|Kantipur Media Group|mail.kmg.com. np|Redirect to original mail server| |---|---|---|---|---| |2020 Nov||Federal Parliament of Nepal|mail.parliamen t.gov.np|Redirect to original mail server| |2020 Nov||Public Procurement Monitoring OÞce, Nepal|mail.ppmo.gov .np|Redirect to original mail server| |2020 Nov|mail- mfagovcn.hopto[.]org|Ministry of Foreign Aàairs, China|mail.mfa.gov.c n|Redirect to Õle “A mbassador Yanchi Conversation with Nepali_Media.pdf”| ----- Figure 8. SideWinder’s phishing page disguised as a Nepalese Army OWA (Outlook Web Access) Page ----- Figure 9. The lure document redirected from the phishing page that discusses Indian and Pakistani political map issues Figure 10. The lure document covering the interview of China’s ambassador to Nepal ## Android applications We also identi�ed multiple Android APK �les on their server. Interestingly, these Android applications still seem to be under the initial development phase as they are basic, still use the default Android icons, and have no practical function for users. Figure 11. The default Android icons used by the APKs ----- ## We noticed two applications among them, named “My First APP” and “Opinion Poll,” that seemingly have no malicious behavior. My First APP demonstrates login & register processes, while Opinion Poll acts as an opinion polling application for the Indian-Nepalese political map dispute. The �rst application is likely an Android demo application for beginners, while the second one starts with an explanation of “Opinion Writing,” followed by a survey. Figure 12. Non-malicious applications “My First APP” and “Opinion Poll” ## Another two applications were built from JavaPayload for Metasploit that will load extra code from the remote server con�gured in the sample. While we were unable to retrieve the payload, according to the Manifest that requests numerous privacy-related permissions like location, contacts, call logs, etc., we can infer that it goes after the user’s private data. These two samples appear to be debug versions as they have no activities or any other component except Metasploit. ----- Figure 13. Build from Metasploit and Request Permissions ## We also identi�ed a malicious version of the My First APP application that added Metasploit whose class names have been obfuscated. Figure 14. Malicious version of My First APP, which adds Metasploit ----- ## SideWinder has used malicious apps as part of its operation before. In the campaign referenced earlier, the group used malicious APKs disguised as photography and �le manager tools to lure users into downloading them. Once downloaded into the user’s mobile device, the malicious APKs launch a series of fairly sophisticated procedures that includes rooting the device to stealthily deploy the payload, as well as exploiting CVE-2019-2215 and MediaTek-SU vulnerabilities for root privileges. The payload’s ultimate goal is to gather information from the compromised device and then send it back to its C&C server. In the case of these newer APKs, it seems that the goal is to gather user information as well. Unlike the earlier apps, which were already on the Google Play Store, all the APK �les found on their server are not mature enough for a deliberate attack. In our opinion, these are still in the initial stage, and the payloads (directed at mobile users) are still being re�ned further. Conclusion As seen with their phishing attacks and their mobile device tools’ continuous development, SideWinder is very proactive in using trending topics like Covid 19 or various political issues as a social engineering technique to compromise their targets. Therefore, we recommend that users and organizations be vigilant and follow social engineering best practices to protect themselves from these kinds of campaigns. Indicator of Compromise Android Part IoCs **Indicator** **Package** **name** **Label** **C2 server** **Detection** ----- |0c182b51à1dàaa384651e4781556 32c6e65820322774e416be20e6d4 9bb8f9|com.example .Õrstandoida pp|My First App|-|Col5| |---|---|---|---|---| |061b0379a12b88488db8540226e4 00e3f65fef9a4c1aa7744da9f17e1d9 3d78d|com.example .opinionpoll|Opini onPol l|-|| |fb6ac9d93fd47db3d32f6da6320344 a125e96754a94babb9d9d12b6604 a42536|com.metaspl oit.stage|Main Activit y|https://185.2 25.19[.]46:45 89|AndroidOS_Me tasploit.HRX| |468b74883536938ef3962655dfcc3c a4097ca9b5b687dfc1fef58d50e96d c248|com.metaspl oit.stage|Main Activit y|tcp://185.22 5.19.46[:]487 5|AndroidOS_M etasploit.HRX| |a377e5f4bf461b86f938959256b7ab 8b1b40bb9fd3cd45951c736a22366 a8dd1|com.example .Õrstandoida pp|My First App|tcp://185.22 5.19.46[:]487 5|AndroidOS_Me tasploit.HRX| ## Malicious documents and related payloads IoCs ----- |Indicator|Description|D e t e c t i o n|T r e n d X| |---|---|---|---| 1CBEC920AFE2F978B8F84E0A4E6B757D400AEB96E8C0A22113 0060B196ECE010 docx T r o j a n . W 9 7 M . C V E 2 0 1 7 0 1 ----- 7238F4E5EDBE0E5A2242D8780FB58C47E7D32BF2C4F860C88C 511C30675D0857 9 9 . F A I L RTF �le T r o j a n . W 9 7 M . S I D E W I N D E R ----- D o w n l o a d e r .J S . T R X . X X J S E 9 E F F 0 75C158CEA14E338C8D9D32ED988C7032DA9AE6D54F5B1126E D6A83F71B9E03BF . A 1.a JS �le T r o j a n . J S . S I D E W I N D E R . A ----- 1 8 |AB6E8563214EEB747ABF77F9CC50796CC6A0C0562C6BEC720D 7F2C978D34C412|Fake DUser.dll|T r o j a n . M S I L . S I D E W I N D E R . A|Col4| |---|---|---|---| CBD5C68F5C4345B68F018D9E5810574E8036A2BC4D826BE5C8 779E8019449957 Final payload T r ----- 34446F7F60F730FCCA145155D10D1AFF0A1153B085836DF3831 3772CD03C8D70 o j a n . W i n 3 2 . S I D E W I N D E R . B RTF �le T r o j a n . ----- 7238F4E5EDBE0E5A2242D8780FB58C47E7D32BF2C4F860C88C 511C30675D0857 W 9 7 M . C V E 2 0 1 7 1 1 8 8 2 . Y Q U O O W V RTF �le T r o j a ----- AB7C1967BF1FEFDFFDE93626B78EB30994655AB02F59E0ADB0 935E3E599A953F n . W 9 7 M . S I D E W I N D E R . A RTF �le T r o j a n . W 9 7 M ----- D o w n l o a d e r .J S . T R X . 2548A819E4C597BA5958D2D18BAA544452948E5B0027157019 2CCD79ABE88E8D . S I D E W I N D E R . A 1.a JS �le T r o j a n . J S . S I D E W I N ----- X X J S E 9 E F F 0 1 8 D o w n l o a d e r .J S . T R X . X ED5E1D6E914DE64A203F2F32AB95176FC7EFFF3A520915971D 5FE748E79D611C D E R . A 1.a JS �le T r o j a n . J S . S I D E W I N D ----- X J S E 9 E F F 0 1 8 D o w n l o a d e r .J S . T R X . X X 96BF8F579ACB8D9D0FF116D05FDADEF85953F11E5B2E703041 FDAE0ABF5B75DC E R . A 1.a JS �le T r o j a n . J S . S I D E W I N D E ----- J S E 9 E F F 0 1 8 940265867D5668956D64ADF9FC4B9C6CF9E7FCFCF5C21BA7BF 0BEA77B5EDD047 R . A Fake DUser.dll T r o j a n . M S I L . S I D E W I N D ----- E R . A |B22946CFEFE8646CB034F358C68CAAE5F30C1CF316CFFEAF770 21C099E362C64|Fake DUser.dll|T r o j a n . M S I L . S I D E W I N D E R . A|Col4| |---|---|---|---| ----- 89E392FA49C6A6AEB9056E3D2F38B07D0DD7AF230CD22E3B0 1C71F05A3AECA0B EB2D82DD0799196FCF631E15305676D737DC6E40FF588DCF12 3EDACD023F1C46 Fake DUser.dll T r o j a n . M S I L . S I D E W I N D E R . A Final payload T r o j a n ----- 7ECAEFCB46CDDEF1AE201B1042A62DD093594C179A6913A2D E47AB98148545DD . W i n 3 2 . S I D E W I N D E R . B Final payload T r o j a n . W i n 3 ----- 799260B992C77E2E14F2D586665C570142D8425864455CAB5F 2575015CD0B87A 2 . S I D E W I N D E R . B Final payload T r o j a n . W i n 3 2 . S I D ----- E W I N D E R . B |brep.cdn-edu[.]net|RTF delivery server|Col3| |---|---|---| |www.mfa.Õlesrvr[.]net|RTF delivery server|| |www.google.gov-pok[.]net|RTF delivery server|| |ap-ms[.]net|C&C|| |cdn-sop[.]net|C&C|| |fqn-cloud[.]net|C&C|| ms-trace[.]net C&C ----- |imail.aop.gov-af[.]org|Phishing Domain|Col3| |---|---|---| |mail-apfgavnp.hopto[.]org|Phishing Domain|| |mail-apfgovnp.ddns[.]net|Phishing Domain|| |mail-kmgcom.ddns[.]net|Phishing Domain|| |mail-mfagovcn.hopto[.]org|Phishing Domain|| |mail-mofagovnp.hopto[.]org|Phishing Domain|| |mail-ncporgnp.hopto[.]org|Phishing Domain|| |mail-nepalarmymilnp.duckdns[.]org|Phishing Domain|| |mail-nepalgovnp.duckdns[.]org|Phishing Domain|| mail-nepalpolicegov.hopto[.]org Phishing Domain ----- |mail-nepalpolicegovnp.duckdns[.]org|Phishing Domain|Col3| |---|---|---| |mail-nrborg.hopto[.]org|Phishing Domain|| |mail-nscaf.myftp[.]org|Phishing Domain|| |mail-ntcnetnp.serveftp[.]com|Phishing Domain|| |mail.arg.gov-af[.]org|Phishing Domain|| |mail.moha.gov-np[.]org|Phishing Domain|| |mail.nsc.gov-af[.]org|Phishing Domain|| |webmail.mohe.gov-af[.]org|Phishing Domain|| ### Tags [Research](https://www.trendmicro.com/en_us/research.html?category=trend-micro-blogs:article-type/research) | [Articles, News, Reports](https://www.trendmicro.com/en_us/research.html?category=trend-micro-blogs:medium/article) | [APT & Targeted Attacks](https://www.trendmicro.com/en_us/research.html?category=trend-micro-blogs:threats/apt-and-targeted-attacks) ----- ## Contact Sales Locations Careers Newsroom Privacy Accessibility Support Site map ##      Copyright © 2020 Trend Micro Incorporated. All rights reserved. -----