South Asian Ministries Targeted by SideWinder APT Exploiting Legacy Office Vulnerabilities and Tailored Malware Solutions

High-level government institutions in Sri Lanka, Bangladesh, and Pakistan are currently the target of a sophisticated cyber campaign orchestrated by the threat actor known as SideWinder.

According to researchers from Acronis, the attackers employed spear phishing emails alongside geofenced payloads to ensure that only specific victims in designated countries received the malicious content. The attack chain begins with meticulously crafted spear-phishing lures designed to initiate the infection process, ultimately deploying a known malware variant referred to as StealerBot. This approach reflects a continuation of tactics used in previous SideWinder incidents.

Notable targets of this campaign include significant governmental entities such as the Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance in Bangladesh, along with the Directorate of Indigenous Technical Development in Pakistan and various ministries and departments in Sri Lanka, including the Department of External Resources and the Central Bank.

The attacks utilize long-standing remote code execution vulnerabilities in Microsoft Office, specifically CVE-2017-0199 and CVE-2017-11882, as initial vectors. These vulnerabilities facilitate the deployment of malware that maintains persistent access within governmental environments across South Asia.

Upon opening the malicious documents, victims are exposed to an exploit for CVE-2017-0199, which subsequently delivers payloads responsible for installing StealerBot through DLL side-loading methods. A distinctive aspect of SideWinder’s tactics is the combination of spear-phishing emails with geofenced payloads, ensuring that only victims corresponding to specific criteria are served malicious content. If a victim’s IP address does not align with the target parameters, an empty RTF file is sent as a diversion.

The malicious payload itself is an RTF file that exploits CVE-2017-11882, a memory corruption vulnerability in the Equation Editor, to launch a shellcode-based loader that executes the StealerBot malware.

StealerBot is described as a .NET implant designed to introduce additional malware, establish a reverse shell, and gather a wide array of sensitive data from compromised systems, including screenshots, keystrokes, passwords, and files.

Acronis researchers have noted that SideWinder demonstrates a remarkable consistency in its operational activity, maintaining a steady operational cadence without significant periods of inactivity. This pattern indicates a level of organizational continuity and sustained intent.

An in-depth examination of SideWinder’s tactics, techniques, and procedures (TTPs) reveals a high degree of control and precision, allowing for the targeted delivery of malicious payloads to selected victims, often within constrained time frames.