SideWinder, a prolific nation-state actor primarily recognized for concentrating on Pakistan navy entities, compromised the official web site of the Nationwide Electrical Energy Regulatory Authority (NEPRA) to ship a tailor-made malware known as WarHawk.
“The newly found WarHawk backdoor accommodates numerous malicious modules that ship Cobalt Strike, incorporating new TTPs resembling KernelCallBackTable injection and Pakistan Normal Time zone verify with a view to guarantee a victorious marketing campaign,” Zscaler ThreatLabz mentioned.
The menace group, additionally known as APT-C-17, Rattlesnake, and Razor Tiger, is suspected to be an Indian state-sponsored group, though a report from Kaspersky earlier this Could acknowledged earlier indicators that led to the attribution have since disappeared, making it difficult it to hyperlink the menace cluster to a selected nation.
Greater than 1,000 assaults are mentioned to have been launched by the group since April 2020, a sign of SideWinder’s newfound aggression because it commenced operations a decade in the past in 2012.
The intrusions have been important not solely with regard to their frequency but in addition of their persistence, even because the group takes benefit of a large arsenal of obfuscated and newly-developed elements.
In June 2022, the menace actor was discovered leveraging an AntiBot script that is designed to filter their victims to verify the shopper browser surroundings, particularly the IP deal with, to make sure the targets are positioned in Pakistan.
The September marketing campaign noticed by Zscaler entails using a weaponized ISO file hosted on NEPRA’s web site to activate a killchain that results in the deployment of the WarHawk malware, with the artifact additionally performing as a decoy to cover the malicious exercise by displaying a authentic advisory issued by the Cupboard Division of Pakistan on July 27, 2022.
WarHawk, for its half, masquerades as authentic apps resembling ASUS Replace Setup and Realtek HD Audio Supervisor to lure unsuspecting victims into execution, ensuing the exfiltration of system metadata to a hard-coded distant server, whereas additionally receiving extra payloads from the URL.
This features a command execution module that is chargeable for the execution of system instructions on the contaminated machine obtained from the command-and-control server, a file supervisor module that recursively enumerates recordsdata current in several drives, and an add module that transmits recordsdata of curiosity to the server.
Additionally deployed as a second-stage payload utilizing the aforementioned command execution module is a Cobalt Strike Loader, which validates the host’s time zone to substantiate it matches the Pakistan Normal Time (PKT), failing which the method is terminated.
Following the anti-anThe loader injects shellcode right into a notepad.exe course of utilizing a way known as KernelCallbackTable course of injection, with the malware writer lifting supply code from a technical write-up revealed in April 2022 by a researcher who goes by the web alias Capt. Meelo.
The shellcode then decrypts and hundreds Beacon, the default malware payload utilized by Cobalt Strike to determine a connection to its command-and-control server.
Per the cybersecurity firm, the assault marketing campaign’s connections to the SideWinder APT stem from the reuse of community infrastructure that has been recognized as utilized by the group in prior espionage-focused actions in opposition to Pakistan.
“The SideWinder APT Group is repeatedly evolving their ways and including new malware to their arsenal with a view to perform profitable espionage assault campaigns in opposition to their targets,” the researchers concluded.
