Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique

2023-05-09 09:39

The advanced persistent threat actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.

"In this campaign, the SideWinder advanced persistent threat group used a server-based polymorphism technique to deliver the next stage payload," the BlackBerry Research and Intelligence Team said in a technical report published Monday.

SideWinder has been on the radar since at least 2012 and it's primarily known to target various Southeast Asian entities located in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.

Over the past year, SideWinder has been linked to a cyber attack aimed at Pakistan Navy War College as well as an Android malware campaign that leveraged rogue phone cleaner and VPN apps uploaded to the Google Play Store to harvest sensitive information.

What makes the campaign also stand out is the threat actor's use of server-based polymorphism as a way to potentially sidestep traditional signature-based antivirus detection and distribute additional payloads by responding with two different versions of an intermediate RTF file.

"The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics; specifically, in Turkey's support of Pakistan and the ensuing reaction from India," BlackBerry said.

News URL

https://thehackernews.com/2023/05/researchers-uncover-sidewinders-latest.html

#researcher #server