# SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks **[trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html](https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html)** APT & Targeted Attacks December 9, 2020 While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server. By: Joseph C Chen, Jaromir Horejsi, Ecular Xu December 09, 2020 Read time: ( words) While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for phishing. We believe further activities are propagated via spear-phishing attacks. The group’s targets include multiple government and military units, mainly in Nepal and Afghanistan. After the gathered credentials are sent, some of the phishing pages will redirect victims to different documents or news pages. The themes and topics of these pages and documents are related to either Covid-19 or recent territory disputes between Nepal, Pakistan, India, and China. Furthermore, it seems that these lures are distributed via phishing links. We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit. One of the normal applications, called “OpinionPoll,” is a survey app for gathering opinions regarding the Nepal-India political map dispute, which seems to be another political lure similar to the one they used in the spear-phishing portion. We believe these applications are still under development and will likely be used to compromise mobile devices in the future. [SideWinder has been very active in 2020. Earlier this year, we published a report on how the SideWinder APT group used the Binder exploit to](https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html) [attack mobile devices. The group also launched attacks against Pakistan, Bangladesh, and China using lure files related to Covid-19.](https://www.anquanke.com/post/id/210404) ## Analysis of the malicious document The use of malicious documents is one of SideWinder’s most common infection vectors. We collected several different samples from the campaign, including: 1. An LNK file that downloads an RTF file and drops a JavaScript file 2. A ZIP file containing an LNK file, which downloads an HTA file (with JavaScript) 3. An RTF file that drops a JavaScript file 4. A PDF file with an embedded JavaScript stream 5. A DOCX file with an external link to an OLE object (RTF file), which contains and drops a JavaScript file ----- Figure 1. An example of a downloaded ZIP file containing an LNK file that is used to download a malicious HTA file All of these cases end up with either the downloading or dropping of files and then the execution of JavaScript code, which is a dropper used to install the main backdoor + stealer. [The downloaded RTF files exploit the CVE-2017-11882 vulnerability. It drops a file named 1.a (a JavaScript code), which drops the backdoor +](https://www.trendmicro.com/vinfo/tmr/?/ph/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild) stealer into a folder in ProgramData and directly executes it or creates a scheduled task to execute the dropped files at a later time. Figure 2. A scheduled task with a command to execute the dropped backdoor + stealer The content of the newly created folder contains a few files, including Rekeywiz (EFS REKEY wizard, FA86B5BC5343CA92C235304B8DCBCF4188C6BE7D4621C625564BEBD5326ED850), which is a legitimate Windows application. Figure 3. List of dropped files This application loads various system DLL libraries, including shell32.dll, which sideloads DUser.dll, one of shell32’s DelayImports. Figure 4. DUser library as DelayImport of shell32 library However, a fake DUser.dll gets loaded into the process. This fake DLL library decrypts the main backdoor + stealer from the .tmp file in the same directory. Figure 5. Algorithm for decrypting both main backdoor + stealer and configuration The decryption process is a simple XOR, where the key is the first 32 bytes from the encrypted file and the payload are the remaining bytes. The decrypted payload is the main backdoor .NET executable binary. ----- Figure 6. Decrypted main SystemApp with listing its classes and resources In Resources, the Default resource contains the encrypted configuration. After decryption (using the same principle as with the main backdoor + stealer), the configuration reveals which file formats the attackers are targeting. Figure 7. The decrypted configuration The main functions of the backdoor + stealer are: 1) Downloading the .NET executable and running it 2) Collecting system information and uploading it to the command-and-control (C&C) server 3) Uploading selected files to the C&C server The collected information is in JSON format (hence why the Newtonsoft_Json library stored in Resources is loaded) and includes information such as privileges, user accounts, computer system information, antivirus programs, running processes, processor information, operating system information, timezone, installed Windows updates, network information, list of directories in Users\%USERNAME%\Desktop, Users\%USERNAME%\Downloads, Users\%USERNAME%\Documents, Users\%USERNAME%\Contacts, as well as information on all drives and installed apps. ## The spear-phishing attack We found several interesting dynamic DNS domains resolving to a server that was used to deliver SideWinder’s malicious documents. The subdomains of these dynamic DNS domains are designed to be similar to the domains of their victims’ mail servers. For example, “mailnepalgovnp[.]duckdns[.]org” was created to pretend to be the original Nepal government’s domain “mail[.]nepal[.]gov[.]np”. Digging deeper, we found that it hosted several phishing pages. These pages were copied from the webmail servers of various targets and then modified for spear-phishing attacks designed to steal login credentials. Although it’s not clear to us how these phishing pages are delivered to the victims, finding the original webmail servers that they copied to make these phishing pages allows us to identify who they were targeting. Analysis of the phishing pages revealed that most of them would redirect to the original webmail servers, which they copied after the victims sent out their login credentials. However, we also found some of them will either redirect to documents or news pages. These documents and news are probably interesting in some way to their targets and are used to make them click and log in to the phishing pages. While several of the documents are related to Covid-19, we also found some documents or news related to territorial issues in South Asia, including: [“India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh” – a news article that discusses India-China conflicts in](https://www.bbc.co.uk/news/world-asia-52852509) May. “India reaction after new pak map.pdf” – a document talking about India’s [response to the new political map revealed by Pakistan in](https://www.deccanchronicle.com/nation/politics/040820/india-rejects-pakistans-new-political-map.html) August. “Ambassador Yanchi Conversation with Nepali_Media.pdf” – a document describing an interview with China's ambassador to Nepal [regarding Covid-19, the Belt and Road Initiative, and territorial issues in the Humla district.](https://kathmandupost.com/national/2020/09/23/a-missing-border-pillar-in-humla-creates-row-between-nepal-and-china) The following table shows their targets, related phishing domains, and lure documents used in each of the phishing attacks. **Date** **Phishing Domain** **Targeted Organization** **Targeted Mail server** **Redirection after login** 2019 Nov 2019 Nov Government of Nepal mail.nepal.gov.np Redirect to file “IMG_0002.pdf” Ministry of Defence, Nepal mail.mod.gov.np Redirect to original mail server ----- 2019 Dec 2019 Dec 2020 Jan 2020 Jan 2020 Jan 2020 Jan 2020 Jan 2020 Feb 2020 Feb 2020 Feb 2020 Feb 2020 Feb 2020 Feb 2020 Mar 2020 Mar 2020 Mar 2020 Mar 2020 Mar 2020 Apr mail-mofagovnp.zapto[.]org Ministry of Foreign Affairs, Nepal mail.mofa.gov.np Redirect to web news “China, Nepal sign trade, infrastructure and security deals” Government of Nepal mail.nepal.gov.np Redirect to file “ consultation_1523857630.pdf” imail.aop.gov-af[.]org Administrative Office of the President, Afghanistan mail-nscaf.myftp[.]org Afghanistan National Security Council imail.aop.gov.af Redirect to web page “ Observation Of Technology Use in Afghanistan Government Sector” mail.nsc.gov.af Redirect to https://wikipedia.org/USB_Killer mailnepalarmymilnp.duckdns[.]org Nepali Army mail.nepalarmy.mil.np Redirect to PDF “ EN Digital Nepal Framework V8.4 15 July 2019.pdf” mail-mofagovnp.hopto[.]org Ministry of Foreign Affairs, Nepal webmail.mohe.gov-af[.]org Ministry of Higher Education, Afghanistan mail.mofa.gov.np Redirect to PDF “ national-security-vol3-issue-1-essay-SSimkhada.pdf” webmail.mohe.gov.af Redirect to original mail server Ministry of Defense, Sri Lanka mail.defence.lk Login Error mail.moha.gov-np[.]org Ministry of Home Affairs, Nepal mail.moha.gov.np Redirect to original mail server mail.nsc.gov-af[.]org Afghanistan National Security Council mail.arg.gov-af[.]org Presidential Palace, Afghanistan mail.arg.gov-af[.]org Presidential Palace, Afghanistan Center for Education and Human Resource Development, Nepal mail.nsc.gov.af Redirect to original mail server mail.arg.gov.af Redirect to original mail server mail.arg.gov.af Redirect to original mail server mail.doe.gov.np Redirect to file “Para Basic Course Joining Instruction.docx” mail-nepalgovnp.duckdns[.]org Government of Nepal mail.nepal.gov.np Redirect to original mail server Nepal Electricity Authority mail.nea.org.np Redirect to original mail server mail-nepalgovnp.duckdns[.]org Government of Nepal mail.nepal.gov.np Redirect to file “central data form.pdf” mailnepalarmymilnp.duckdns[.]org Nepali Army mail.nepalarmy.mil.np Redirect to file “Corona Virus Preparedness and Response.pdf” mail-nepalpolicegov.hopto[.]org Nepal Police mail.nepalpolice.gov.np Redirect to file “1987 Conducting training on COVID-19 and keeping it in readiness.pdf” mail-nrborg.hopto[.]org Nepal Rastra Bank mail.nrb.gov.np Redirect to file ”fiu.pdf” ----- 2020 May 2020 Jun 2020 Jul 2020 Jul 2020 Aug 2020 Aug 2020 Sep 2020 Sep 2020 Sep 2020 Oct 2020 Oct 2020 Oct 2020 Oct 2020 Nov 2020 Nov 2020 Nov 2020 Nov 2020 Nov mailnepalarmymilnp.duckdns[.]org mailnepalarmymilnp.duckdns[.]org Public Procurement Monitoring Office, Nepal mail-mfagovcn.hopto[.]org Ministry of Foreign Affairs, China Nepali Army mail.nepalarmy.mil.np Redirect to web news “India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh” Nepali Army mail.nepalarmy.mil.np Showing login failed message Qatar Charity mail.qcharity.org Redirect to original mail server Myanma Posts and Telecommunications webmail.mpt.net.mm Redirect to original mail server mail-ncporgnp.hopto[.]org Nepal Communist Party mail.ncp.org.np Redirect to file “India reaction after new pak map.pdf” mail-nscaf.myftp[.]org Afghanistan National Security Council mail-mofgovnp.hopto[.]org Ministry of Finance, Nepal mail.nsc.gov.af Redirect to 10[.]77[.]17[.]10/Software/03Applications mail.mof.gov.np Redirect to file “1987 Covid.pdf” mail-ncporgnp.hopto[.]org Nepal Communist Party mail.ncp.org.np Redirect to document “ The spectre of a new Maoist conflict in Nepal” imail.aop.gov-af[.]org Administrative Office of the President, Afghanistan imail.aop.gov.af Redirect to file “SOP of Military Uniform .pdf” mailnepalpolicegovnp.duckdns[.]org mail-apfgovnp.ddns[.]net mail-apfgavnp.hopto[.]org Nepal Police mail.nepalpolice.gov.np Redirect to file “2077-07-03 1239 Regarding investigation and action.pdf” Civil Aviation Authority of Nepal mail.caanepal.gov.np Redirect to original mail server Armed Police Force, Nepal mail.apf.gov.np Redirect to original mail server mail-nscaf.myftp[.]org Afghanistan National Security Council mail.nsc.gov.af Redirect to file “IT Services Request Form.pdf” mail-ntcnetnp.serveftp[.]com Nepal Telecom webmail.ntc.net.np Redirect to original mail server mail-kmgcom.ddns[.]net Kantipur Media Group mail.kmg.com.np Redirect to original mail server Federal Parliament of Nepal mail.parliament.gov.np Redirect to original mail server mail.ppmo.gov.np Redirect to original mail server mail.mfa.gov.cn Redirect to file “ Ambassador Yanchi Conversation with Nepali_Media.pdf” ----- Figure 8. SideWinder’s phishing page disguised as a Nepalese Army OWA (Outlook Web Access) Page Figure 9. The lure document redirected from the phishing page that discusses Indian and Pakistani political map issues ----- Figure 10. The lure document covering the interview of China’s ambassador to Nepal ## Android applications We also identified multiple Android APK files on their server. Interestingly, these Android applications still seem to be under the initial development phase as they are basic, still use the default Android icons, and have no practical function for users. Figure 11. The default Android icons used by the APKs We noticed two applications among them, named “My First APP” and “Opinion Poll,” that seemingly have no malicious behavior. My First APP demonstrates login & register processes, while Opinion Poll acts as an opinion polling application for the Indian-Nepalese political map dispute. The first application is likely an Android demo application for beginners, while the second one starts with an explanation of “Opinion Writing,” followed by a survey. Figure 12. Non-malicious applications “My First APP” and “Opinion Poll” [Another two applications were built from JavaPayload for Metasploit that will load extra code from the remote server configured in the sample.](https://github.com/rapid7/metasploit-payloads/tree/master/java) While we were unable to retrieve the payload, according to the Manifest that requests numerous privacy-related permissions like location, contacts call logs etc we can infer that it goes after the user’s private data These two samples appear to be debug versions as they have no ----- act t es o a y ot e co po e t e cept etasp o t Figure 13. Build from Metasploit and Request Permissions We also identified a malicious version of the My First APP application that added Metasploit whose class names have been obfuscated. Figure 14. Malicious version of My First APP, which adds Metasploit SideWinder has used malicious apps as part of its operation before. In the campaign referenced earlier, the group used malicious APKs disguised as photography and file manager tools to lure users into downloading them. Once downloaded into the user’s mobile device, the malicious APKs launch a series of fairly sophisticated procedures that includes rooting the device to stealthily deploy the payload, as well as exploiting CVE-2019-2215 and MediaTek-SU vulnerabilities for root privileges. The payload’s ultimate goal is to gather information from the compromised device and then send it back to its C&C server. In the case of these newer APKs, it seems that the goal is to gather user information as well. Unlike the earlier apps, which were already on the Google Play Store, all the APK files found on their server are not mature enough for a deliberate attack. In our opinion, these are still in the initial stage, and the payloads (directed at mobile users) are still being refined further. ## Conclusion As seen with their phishing attacks and their mobile device tools’ continuous development, SideWinder is very proactive in using trending topics like Covid-19 or various political issues as a social engineering technique to compromise their targets. Therefore, we recommend that [users and organizations be vigilant and follow social engineering best practices to protect themselves from these kinds of campaigns.](https://www.trendmicro.com/vinfo/tmr/?/ph/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks) ## Indicator of Compromise **Android Part IoCs** **Indicator** **Package name** **Label** **C2 server** 0c182b51ff1dffaa384651e478155632c6e65820322774e416be20e6d49bb8f9 com.example.firstandoidapp My First App 061b0379a12b88488db8540226e400e3f65fef9a4c1aa7744da9f17e1d93d78d com.example.opinionpoll OpinionPoll ----- fb6ac9d93fd47db3d32f6da6320344a125e96754a94babb9d9d12b6604a42536 com.metasploit.stage MainActivity https://185.225.19[. 468b74883536938ef3962655dfcc3ca4097ca9b5b687dfc1fef58d50e96dc248 com.metasploit.stage MainActivity tcp://185.225.19.46 a377e5f4bf461b86f938959256b7ab8b1b40bb9fd3cd45951c736a22366a8dd1 com.example.firstandoidapp My First App **Malicious documents and related payloads IoCs** **Indicator** **Description** **Detection** tcp://185.225.19.46 1CBEC920AFE2F978B8F84E0A4E6B757D400AEB96E8C0A221130060B196ECE010 docx Trojan.W97M.CVE20170199.FAIL 7238F4E5EDBE0E5A2242D8780FB58C47E7D32BF2C4F860C88C511C30675D0857 RTF file Trojan.W97M.SIDEWINDER.A 75C158CEA14E338C8D9D32ED988C7032DA9AE6D54F5B1126ED6A83F71B9E03BF 1.a JS file Trojan.JS.SIDEWINDER.A AB6E8563214EEB747ABF77F9CC50796CC6A0C0562C6BEC720D7F2C978D34C412 Fake DUser.dll CBD5C68F5C4345B68F018D9E5810574E8036A2BC4D826BE5C8779E8019449957 Final payload Trojan.MSIL.SIDEWINDER.A Trojan.Win32.SIDEWINDER.B 34446F7F60F730FCCA145155D10D1AFF0A1153B085836DF38313772CD03C8D70 RTF file Trojan.W97M.CVE201711882.YQUOOW 7238F4E5EDBE0E5A2242D8780FB58C47E7D32BF2C4F860C88C511C30675D0857 RTF file Trojan.W97M.SIDEWINDER.A AB7C1967BF1FEFDFFDE93626B78EB30994655AB02F59E0ADB0935E3E599A953F RTF file Trojan.W97M.SIDEWINDER.A 2548A819E4C597BA5958D2D18BAA544452948E5B00271570192CCD79ABE88E8D 1.a JS file Trojan.JS.SIDEWINDER.A ED5E1D6E914DE64A203F2F32AB95176FC7EFFF3A520915971D5FE748E79D611C 1.a JS file Trojan.JS.SIDEWINDER.A 96BF8F579ACB8D9D0FF116D05FDADEF85953F11E5B2E703041FDAE0ABF5B75DC 1.a JS file Trojan.JS.SIDEWINDER.A 940265867D5668956D64ADF9FC4B9C6CF9E7FCFCF5C21BA7BF0BEA77B5EDD047 Fake DUser.dll B22946CFEFE8646CB034F358C68CAAE5F30C1CF316CFFEAF77021C099E362C64 Fake DUser.dll 89E392FA49C6A6AEB9056E3D2F38B07D0DD7AF230CD22E3B01C71F05A3AECA0B Fake DUser.dll EB2D82DD0799196FCF631E15305676D737DC6E40FF588DCF123EDACD023F1C46 Final payload 7ECAEFCB46CDDEF1AE201B1042A62DD093594C179A6913A2DE47AB98148545DD Final payload 799260B992C77E2E14F2D586665C570142D8425864455CAB5F2575015CD0B87A Final payload brep.cdn-edu[.]net RTF delivery server Trojan.MSIL.SIDEWINDER.A Trojan.MSIL.SIDEWINDER.A Trojan.MSIL.SIDEWINDER.A Trojan.Win32.SIDEWINDER.B Trojan.Win32.SIDEWINDER.B Trojan.Win32.SIDEWINDER.B ----- www.mfa.filesrvr[.]net RTF delivery server www.google.gov-pok[.]net RTF delivery server ap-ms[.]net C&C cdn-sop[.]net C&C fqn-cloud[.]net C&C ms-trace[.]net C&C imail.aop.gov-af[.]org Phishing Domain mail-apfgavnp.hopto[.]org Phishing Domain mail-apfgovnp.ddns[.]net Phishing Domain mail-kmgcom.ddns[.]net Phishing Domain mail-mfagovcn.hopto[.]org Phishing Domain mail-mofagovnp.hopto[.]org Phishing Domain mail-ncporgnp.hopto[.]org Phishing Domain mail-nepalarmymilnp.duckdns[.]org Phishing Domain mail-nepalgovnp.duckdns[.]org Phishing Domain mail-nepalpolicegov.hopto[.]org Phishing Domain mail-nepalpolicegovnp.duckdns[.]org Phishing Domain mail-nrborg.hopto[.]org Phishing Domain mail-nscaf.myftp[.]org Phishing Domain mail-ntcnetnp.serveftp[.]com Phishing Domain mail.arg.gov-af[.]org Phishing Domain ----- mail.moha.gov-np[.]org Phishing Domain mail.nsc.gov-af[.]org Phishing Domain webmail.mohe.gov-af[.]org Phishing Domain -----