Cyble Research Team recently came across new malware variants related to SideWinder (aka Rattlesnake or T-APT-04) APT threat group. We noted that the group is targeting organizations through spam emails with maliciously crafted documents as well as through archived malicious link files.
SideWinder APT Background: It a known threat actor, who mainly targets Pakistan military and has been active since 2012. In recent attacks, we have observed that SideWinder APT uses two different initial infection vectors.
1. Maliciously crafted document named “Protocol.doc” with topic related to “Poland and Pakistan together for Security” that leverages the exploits of known vulnerability CVE-2017-11882. The below diagram shows RTF file with exploit shellcode which leads to the successful installation of actual payload.
2. Zip archive named “Audit_Observation2019.zip” that abuses link files to download additional payloads on victim’s machine, as shown below.
Figure2: Malicious LNK file inside archive file
After successful exploitation, malicious payload files are stored in %ProgramData%\SyncFiles\ directory as shown in Figure3.
Upon execution, Rekeywiz.exe file creates Mutex called “Local\ba76e584-735b-45d5-ab75-7ecb8ec8f208″ to mark single instance of its execution on the victim machine. Then it checks for MasterKeyHistory value in the following registry path “SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys” and enables EFS by setting flag as feclient-EfsEnabled.
Finally, Rekeywiz.exe loads and executes actual SideWinder payload named “Duser.dll”. It is a Microsoft Visual C# / Basic .NET compiled Dynamic link library with less AV detection as shown below.
Further Rekeywiz.exe encrypts filesystem using ECDH-P256 encryption method, with the uses windows API’s like “SetUserFileEncryptionKeyEx. The encrypted content is stored in current directory as “Y2EKaMo.tmp”, file content is as shown in figure6.
After successful infection malware creates background network communication to C2 IP 185.99.133[.]58 as in the figure.
Remediation
Here are the steps to prevent targeted attacks like SideWinder.
- Disable EFS encryption in windows.
- Keep sloid cyber threat intelligence program with latest IOCs of emerging threats.
- Keep systems up to date with security patch updates
- Do not open attachments from e-mails or only open them if you can be sure that the sender and not malware sent the e-mail
Conclusion
Advanced Persistence Threats are consciously evolving, deploying new tactic and techniques so that makes itself successful in targeted cyber-attacks.
Cyble Research team is continuously monitoring to harvest indicator/TTP’s of Emerging APT’s in the wild to ensure the targeted organizations are well informed and protected proactively.
List of IOC’s:
File Hash:(MD5)
Ea0b79cd48fe50cec850e8b9733d11b2 – Audit_Observation2019.zip
1cf37a0a8a5f5704a3df692d84a16a71 – Protocol.doc
3b29d0cef6d23779dd08c6e92776d368 – Duser.dll
082ed4a73761682f897ea1d7f4529f69 – Rekeywiz.exe
C2 Domain’s:
www[.]fbr-gov[.]aws-pk[.]net
cdn-aws-s2[.]net
fqn-cloud[.]net
IP’s:
185.99.133[.]58
Mutex:
Local\ba76e584-735b-45d5-ab75-7ecb8ec8f208
