October 10, 2024

The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that’s being used in phishing attacks against Pakistani public and private sector entities.

“Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang,” Singapore-headquartered cybersecurity company Group-IB said in a Wednesday report.

SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka.

Last month, Kaspersky attributed to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.

The threat actor’s modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server.

This is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government websites to harvest user credentials.

The custom tool identified by Group-IB, dubbed SideWinder.AntiBot.Script, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains.

Should a user whose client’s IP address differs from Pakistan’s tap on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets.

“The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource,” the researchers said.

Of special mention is a phishing link that downloads a VPN application called Secure VPN (“com.securedata.vpn”) from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app (“com.securevpn.securevpn”).

While the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.

In January 2020, Trend Micro detailed three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android (CVE-2019-2215) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information.