# Copy cat of APT Sidewinder ? **[medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d](https://medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d)** On twitter this weekend,@Timele9527 thought to found a new instance of APT [Sidewinder. https://twitter.com/Timele9527/status/1147750939576586244](https://twitter.com/Timele9527/status/1147750939576586244) After different analyses, It’s not APT Sidewinder. July 9, 2019 The execution of the dropper: https://app.any.run/tasks/487b8762-997a-4d68-90721111b99967cf The dropper uses the same techniques: Downloading HTA Decode backdoor and drops files in the %TEMP% Use the same name “prebothta” Use the same name of dll for the sideloading and the same legit software But many things are completely different. ## Operating Mode First thing the droppers downloads the HTA file in vidyasagaracademybrg.in. This website is an academic location. After verification on Google Earth, this location exists really. ----- ----- Or Sidewinder is linked to the India. It’s very strange for this group to compromise website an Indian school to target Afghanistan People. I think it’s not a fake website: https://www.facebook.com/197655951060181/posts/httpwwwvidyasagaracademybrgind efaultaspx/197663174392792/ ## Network The second way, it’s the nomenclature of name. Usually, Sidewinder uses domains near of cdn names. The protocols of the hta file and the backdoor is completely differents. The backdoor used a text protocol without encryption _<|MAINSOCKET|><|ID|>760–858–340<|>6042<|END|><|PING|><|PONG|>_ _<|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|>_ _<|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|>_ _<|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|>_ _<|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|>_ _<|SETPING|>62<|END|>_ <|DESKTOPSOCKET|>760–858–340<|END|> The id of the victim is in the protocol unusual. Or Sidewinder use HTTP protocol for example: for the HTA if all checks are ok: _GET /plugins/17285/93/true/true/_ and the backdoor: _GET /ESmDEr7MDJw1r9jR9O4XGAVcBgCCySlZdmV3WU1J/17285/93/77223451/css_ _HTTP/1.1_ ## Execution The first stage of Sidewinder uses RTF exploits not an LNK in a Rar file. Another thing is the persistence with .bat, usually it’s the RTF exploit which create a Run Key. The side loading loads duser.dll which executes an exe itstr.exe coded in delphi which is the backdoor. ----- The lasted instance of Sidewinder the backdoor was written in C++ and his old backdoor was coded in VB6. This backdoor is executed in FUN_10001100 And this function is called by the dllmain. ----- Usually, Sidewinder uses a dll like backdoor not a executable file. In the sequence of installation of the backdoor, this attack don’t use .NET serialization and it’s an important feature of the Sidewinder. ## About the Backdoor The backdoor used is Allakore_Remote. It’s an opensource software written in Delphi. [https://github.com/Grampinha/AllaKore_Remote](https://github.com/Grampinha/AllaKore_Remote) We found the same protocol. In this file https://github.com/Grampinha/AllaKore_Remote/blob/master/Source/Client/Form_M ain.pas we found many strings in the function FUN_0062ae18. Sidewinder don’t use open source usually. ## Threat Intelligence This attack is against Afghanistan and the society participate at the conference of ICC at Paris ----- The image file in the document of the spear phishing Sidewinder usually targets gov or military organization of Pakistan. **IOCs** Main object“3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244” ssdeep_parts [object Object] sha256 3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244 sha1 2848db54d87006714309ce6a1c4ce92e5a29aab7 md5 7af11efe4454dab75ad2338124be149d Dropped executable file C:\ProgramData\dsk\credwiz.exe 17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf C:\ProgramData\dsk\DUser.dll ----- 709d548a42500b15db4b171711a31a2ab227f508f60d4cde670b2b9081ce56af C:\Users\admin\AppData\Local\Temp\Windows Cleaner\itstr.exe 26ca6af15ff8273733a6a386a482357256ac4373a8641e486fb646bc9c525afa domain vidyasagaracademybrg.in ip 167.86.116.39 ip 143.95.251.24 HTTP/HTTPS requests [url http://vidyasagaracademybrg.in/scripts/lnk/comm/](http://vidyasagaracademybrg.in/scripts/lnk/comm/) [url http://vidyasagaracademybrg.in/scripts/lnk/comm](http://vidyasagaracademybrg.in/scripts/lnk/comm) [url http://vidyasagaracademybrg.in/scripts/am/](http://vidyasagaracademybrg.in/scripts/am/) [url http://vidyasagaracademybrg.in/scripts/lnk/comm/comm.hta](http://vidyasagaracademybrg.in/scripts/lnk/comm/comm.hta) [url http://vidyasagaracademybrg.in/scripts/am/am_cy_167.hta](http://vidyasagaracademybrg.in/scripts/am/am_cy_167.hta) -----