Previously unreported phishing operations were carried out by SideWinder, a suspected Indian-origin Advanced Persistent Threat actor (APT), targeting 61 government, military, law enforcement, and other organisations between June and November 2021, across Asia, a report from Group-IB shared.
The group is believed to be one of the oldest nation-state groups and has been found to be active since at least 2012.
Like many other advanced threat actors, SideWinder, also known as Rattlesnake, used the Telegram messaging app to receive information from compromised networks. The group known for its ability to conduct hundreds of espionage operations within a short span has confirmed interest in cryptocurrency and was found to have targeted government organisations in Bhutan, Myanmar, Nepal, Sri Lanka and Afghanistan, the report shared.
The group was also found to be behind phishing projects mimicking crypto companies, which is believed to be linked to the recent attempts to regulate the crypto markets in India.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The APT group uses spear phishing as its initial attack vector. The group sends phishing emails to victims containing malicious attachments or URLs, which when downloaded deliver a malicious payload. The payload is then used to steal sensitive information by using vulnerabilities in the victim’s devices.
Among the newly discovered tools being used by the group were SideWinder.RAT.b (a remote access Trojan) and SideWinder.StealerPy, a custom information stealer written in Python designed to exfiltrate information including browsing history from Google Chrome, credentials saved in the browser, and a list of folders in the directory as well as metadata from the system.
Group-IB waited so long before sharing information about SideWinder APT to ensure it could enlist the entire arsenal of SideWinder, retrieve information from backups and reverse engineer the tools the group used. Group-IB also wanted to determine an accurate timeline of the campaign undertaken by the threat group, it shared in a response to Cybernews.