SideWinder APT Group aka Rattlesnake

    Wednesday, October 16, 2024 In: Threat Research Print

    Date: 10/16/2024

    Severity: Medium

    Summary

    SideWinder APT Group (aka Rattlesnake) - Active since 2012 and publicly identified in 2018, the SideWinder APT group has conducted numerous attacks primarily targeting military and government entities in South and Southeast Asia, including Pakistan, Sri Lanka, China, and Nepal. Initially perceived as low-skilled due to their use of public exploits and tools, their true capabilities emerge upon closer examination of their operations. Recently, they have expanded their focus to high-profile entities and strategic infrastructures in the Middle East and Africa. Notably, a new post-exploitation toolkit named "StealerBot" has been discovered, which is believed to be a key tool for their espionage activities.

    Indicators of Compromise (IOC) List

    URL/Domain

    126-com.live

    163inc.com

    afmat.tech

    alit.live

    aliyum.tech

    aliyumm.tech

    asyn.info

    ausibedu.org

    bol-south.org

    cnsa-gov.org

    colot.info

    comptes.tech

    condet.org

    conft.live

    dafpak.org

    decoty.tech

    defenec.net

    defpak.org

    detru.info

    dgps-govpk.co

    dgps-govpk.com

    dinfed.co

    dirctt88.co

    dirctt88.net

    direct888.net

    direct88.co

    directt888.com

    donwload-file.com

    donwloaded.com

    donwloaded.net

    dowmload.net

    downld.net

    download-file.net

    downloadabledocx.com

    dynat.tech

    dytt88.org

    e1ix.mov

    e1x.tech

    fia-gov.com

    fia-gov.net

    gov-govpk.info

    govpk.info

    govpk.net

    grouit.tech

    gtrec.info

    healththebest.com

    jmicc.xyz

    kernet.info

    kretic.info

    lforvk.com

    mfa-gov.info

    mfa-gov.net

    mfa-govt.net

    mfacom.org

    mfagov.org

    mfas.pro

    mitlec.site

    mod-gov-pk.live

    mofa.email

    mofagovs.org

    moittpk.net

    moittpk.org

    mshealthcheck.live

    nactagovpk.org

    navy-mil.co

    newmofa.com

    newoutlook.live

    nopler.live

    ntcpak.live

    ntcpak.org

    ntcpk.info

    ntcpk.net

    numpy.info

    numzy.net

    nventic.info

    office-drive.live

    pafgovt.com

    paknavy-gov.org

    paknavy-govpk.info

    paknavy-govpk.net

    pdfrdr-update.com

    pdfrdr-update.info

    pmd-office.com

    pmd-office.live

    pmd-office.org

    ptcl-net.com

    scrabt.tech

    shipping-policy.info

    sjfu-edu.co

    support-update.info

    tazze.co

    tex-ideas.info

    tni-mil.com

    tsinghua-edu.tech

    tumet.info

    u1x.co

    ujsen.net

    update-govpk.co

    updtesession.online

    widge.info

    Hash

    28b37d4beb11f070bab8374ffbf3b96a

176680c356cfbba86fa7927ce1f03462

6cf6d55a3968e2176db2bba2134bbe94

c87eb71ff038df7b517644fa5c097eac

8202209354ece5c53648c52bdbd064f0

5cc784afb69c153ab325266e8a7afaf4

3a6916192106ae3ac7e55bd357bc5eee

54aadadcf77dec53b2566fe61b034384

8f83d19c2efc062e8983bce83062c9b6

8e8b61e5fb6f6792f2bee0ec947f1989

86eeb037f5669bff655de1e08199a554

1c36177ac4423129e301c5a40247f180

873079cd3e635adb609c38af71bad702

423e150d91edc568546f0d2f064a8bf1

4a5e818178f9b2dc48839a5dbe0e3cc1

26aa30505d8358ebeb5ee15aecb1cbb0

3233db78e37302b47436b550a21cdaf9

8d7c43913eba26f96cd656966c1e26d5

d0d1fba6bb7be933889ace0d6955a1d7

e706fc65f433e54538a3dbb1c359d75f

412b6ac53aeadb08449e41dccffb1abe

2f4ba98dcd45e59fca488f436ab13501

b69867ee5b9581687cef96e873b775ff

c3ce4094b3411060928143f63701aa2e

e1bdfa55227d37a71cdc248dc9512296

ea4b3f023bac3ad1a982cace9a6eafc3

44dbdd87b60c20b22d2a7926ad2d7bea

7e97cbf25eef7fc79828c033049822af

101a63ecdd8c68434c665bf2b1d3ffc7

d885df399fc9f6c80e2df0c290414c2f

92dd91a5e3dfb6260e13c8033b729e03

515d2d6f91ba4b76847301855dfc0e83

3ede84d84c02aa7483eb734776a20dea

2011658436a7b04935c06f59a5db7161

3a036a1846bfeceb615101b10c7c910e

47f51c7f31ab4a0d91a0f4c07b2f99d7

f3058ac120a2ae7807f36899e27784ea

0fbb71525d65f0196a9bfbffea285b18

1ed7ad166567c46f71dc703e55d31c7a

2f0e150e3d6dbb1624c727d1a641e754

bf16760ee49742225fdb2a73c1bd83c7

b3650a88a50108873fc45ad3c249671a

4c40fcb2a12f171533fc070464db96d1

eef9c0a9e364b4516a83a92592ffc831

1be93704870afd0b22a4475014f199c3

f840c721e533c05d152d2bc7bf1bc165

5718c0d69939284ce4f6e0ce580958df

c14223c219584ce3271450a10bc5da9620b2be2f

425ac5e30bd76eebfe7e8d2f449cd7687089ce3a

144b0f7518727bca923eeb70791b51759a518633b5ed982fa16afcce3ed611ae

2ae73b23f9c89a4e19a6054f41a7542f90b5ff07bce78ddfaa71807303840d5c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "paknavy-gov.org" or url like "paknavy-gov.org" or userdomainname like "pmd-office.org" or url like "pmd-office.org" or userdomainname like "afmat.tech" or url like "afmat.tech" or userdomainname like "paknavy-govpk.net" or url like "paknavy-govpk.net" or userdomainname like "sjfu-edu.co" or url like "sjfu-edu.co" or userdomainname like "126-com.live" or url like "126-com.live" or userdomainname like "moittpk.org" or url like "moittpk.org" or userdomainname like "pafgovt.com" or url like "pafgovt.com" or userdomainname like "mfagov.org" or url like "mfagov.org" or userdomainname like "tsinghua-edu.tech" or url like "tsinghua-edu.tech" or userdomainname like "dirctt88.net" or url like "dirctt88.net" or userdomainname like "gov-govpk.info" or url like "gov-govpk.info" or userdomainname like "163inc.com" or url like "163inc.com" or userdomainname like "fia-gov.net" or url like "fia-gov.net" or userdomainname like "jmicc.xyz" or url like "jmicc.xyz" or userdomainname like "defpak.org" or url like "defpak.org" or userdomainname like "mitlec.site" or url like "mitlec.site" or userdomainname like "dirctt88.co" or url like "dirctt88.co" or userdomainname like "newmofa.com" or url like "newmofa.com" or userdomainname like "updtesession.online" or url like "updtesession.online" or userdomainname like "numpy.info" or url like "numpy.info" or userdomainname like "aliyumm.tech" or url like "aliyumm.tech" or userdomainname like "donwload-file.com" or url like "donwload-file.com" or userdomainname like "donwloaded.com" or url like "donwloaded.com" or userdomainname like "mfa-gov.net" or url like "mfa-gov.net" or userdomainname like "ntcpak.live" or url like "ntcpak.live" or userdomainname like "lforvk.com" or url like "lforvk.com" or userdomainname like "u1x.co" or url like "u1x.co" or userdomainname like "direct888.net" or url like "direct888.net" or userdomainname like "ntcpk.net" or url like "ntcpk.net" or userdomainname like "condet.org" or url like "condet.org" or userdomainname like "healththebest.com" or url like "healththebest.com" or userdomainname like "defenec.net" or url like "defenec.net" or userdomainname like "bol-south.org" or url like "bol-south.org" or userdomainname like "dytt88.org" or url like "dytt88.org" or userdomainname like "mfa-gov.info" or url like "mfa-gov.info" or userdomainname like "mfa-govt.net" or url like "mfa-govt.net" or userdomainname like "mfas.pro" or url like "mfas.pro" or userdomainname like "moittpk.net" or url like "moittpk.net" or userdomainname like "detru.info" or url like "detru.info" or userdomainname like "gtrec.info" or url like "gtrec.info" or userdomainname like "newoutlook.live" or url like "newoutlook.live" or userdomainname like "tni-mil.com" or url like "tni-mil.com" or userdomainname like "grouit.tech" or url like "grouit.tech" or userdomainname like "download-file.net" or url like "download-file.net" or userdomainname like "downloadabledocx.com" or url like "downloadabledocx.com" or userdomainname like "pmd-office.live" or url like "pmd-office.live" or userdomainname like "paknavy-govpk.info" or url like "paknavy-govpk.info" or userdomainname like "ausibedu.org" or url like "ausibedu.org" or userdomainname like "support-update.info" or url like "support-update.info" or userdomainname like "govpk.info" or url like "govpk.info" or userdomainname like "mod-gov-pk.live" or url like "mod-gov-pk.live" or userdomainname like "nactagovpk.org" or url like "nactagovpk.org" or userdomainname like "comptes.tech" or url like "comptes.tech" or userdomainname like "dinfed.co" or url like "dinfed.co" or userdomainname like "dowmload.net" or url like "dowmload.net" or userdomainname like "dgps-govpk.co" or url like "dgps-govpk.co" or userdomainname like "fia-gov.com" or url like "fia-gov.com" or userdomainname like "dynat.tech" or url like "dynat.tech" or userdomainname like "pmd-office.com" or url like "pmd-office.com" or userdomainname like "shipping-policy.info" or url like "shipping-policy.info" or userdomainname like "widge.info" or url like "widge.info" or userdomainname like "tumet.info" or url like "tumet.info" or userdomainname like "donwloaded.net" or url like "donwloaded.net" or userdomainname like "asyn.info" or url like "asyn.info" or userdomainname like "nventic.info" or url like "nventic.info" or userdomainname like "mshealthcheck.live" or url like "mshealthcheck.live" or userdomainname like "pdfrdr-update.info" or url like "pdfrdr-update.info"

    Detection Query 2

    userdomainname like "alit.live" or url like "alit.live" or userdomainname like "aliyum.tech" or url like "aliyum.tech" or userdomainname like "cnsa-gov.org" or url like "cnsa-gov.org" or userdomainname like "colot.info" or url like "colot.info" or userdomainname like "conft.live" or url like "conft.live" or userdomainname like "dafpak.org" or url like "dafpak.org" or userdomainname like "decoty.tech" or url like "decoty.tech" or userdomainname like "dgps-govpk.com" or url like "dgps-govpk.com" or userdomainname like "direct88.co" or url like "direct88.co" or userdomainname like "directt888.com" or url like "directt888.com" or userdomainname like "downld.net" or url like "downld.net" or userdomainname like "e1ix.mov" or url like "e1ix.mov" or userdomainname like "e1x.tech" or url like "e1x.tech" or userdomainname like "govpk.net" or url like "govpk.net" or userdomainname like "kernet.info" or url like "kernet.info" or userdomainname like "kretic.info" or url like "kretic.info" or userdomainname like "mfacom.org" or url like "mfacom.org" or userdomainname like "mofa.email" or url like "mofa.email" or userdomainname like "mofagovs.org" or url like "mofagovs.org" or userdomainname like "navy-mil.co" or url like "navy-mil.co" or userdomainname like "nopler.live" or url like "nopler.live" or userdomainname like "ntcpak.org" or url like "ntcpak.org" or userdomainname like "ntcpk.info" or url like "ntcpk.info" or userdomainname like "numzy.net" or url like "numzy.net" or userdomainname like "office-drive.live" or url like "office-drive.live" or userdomainname like "pdfrdr-update.com" or url like "pdfrdr-update.com" or userdomainname like "ptcl-net.com" or url like "ptcl-net.com" or userdomainname like "scrabt.tech" or url like "scrabt.tech" or userdomainname like "tazze.co" or url like "tazze.co" or userdomainname like "tex-ideas.info" or url like "tex-ideas.info" or userdomainname like "ujsen.net" or url like "ujsen.net" or userdomainname like "update-govpk.co" or url like "update-govpk.co"

    Detection Query 3

    md5hash IN ("f840c721e533c05d152d2bc7bf1bc165","ea4b3f023bac3ad1a982cace9a6eafc3","28b37d4beb11f070bab8374ffbf3b96a","101a63ecdd8c68434c665bf2b1d3ffc7","d885df399fc9f6c80e2df0c290414c2f","92dd91a5e3dfb6260e13c8033b729e03","5718c0d69939284ce4f6e0ce580958df","423e150d91edc568546f0d2f064a8bf1","26aa30505d8358ebeb5ee15aecb1cbb0","4a5e818178f9b2dc48839a5dbe0e3cc1","8e8b61e5fb6f6792f2bee0ec947f1989","c3ce4094b3411060928143f63701aa2e","e706fc65f433e54538a3dbb1c359d75f","3a6916192106ae3ac7e55bd357bc5eee","8f83d19c2efc062e8983bce83062c9b6","515d2d6f91ba4b76847301855dfc0e83","8202209354ece5c53648c52bdbd064f0","6cf6d55a3968e2176db2bba2134bbe94","e1bdfa55227d37a71cdc248dc9512296","873079cd3e635adb609c38af71bad702","54aadadcf77dec53b2566fe61b034384","d0d1fba6bb7be933889ace0d6955a1d7","8d7c43913eba26f96cd656966c1e26d5","c87eb71ff038df7b517644fa5c097eac","176680c356cfbba86fa7927ce1f03462","412b6ac53aeadb08449e41dccffb1abe","44dbdd87b60c20b22d2a7926ad2d7bea","5cc784afb69c153ab325266e8a7afaf4","86eeb037f5669bff655de1e08199a554","1c36177ac4423129e301c5a40247f180","3233db78e37302b47436b550a21cdaf9","2f4ba98dcd45e59fca488f436ab13501","b69867ee5b9581687cef96e873b775ff","7e97cbf25eef7fc79828c033049822af","3ede84d84c02aa7483eb734776a20dea","2011658436a7b04935c06f59a5db7161","3a036a1846bfeceb615101b10c7c910e","47f51c7f31ab4a0d91a0f4c07b2f99d7","f3058ac120a2ae7807f36899e27784ea","0fbb71525d65f0196a9bfbffea285b18","1ed7ad166567c46f71dc703e55d31c7a","2f0e150e3d6dbb1624c727d1a641e754","bf16760ee49742225fdb2a73c1bd83c7","b3650a88a50108873fc45ad3c249671a","4c40fcb2a12f171533fc070464db96d1","eef9c0a9e364b4516a83a92592ffc831","1be93704870afd0b22a4475014f199c3")

    Detection Query 4

    sha1hash IN ("c14223c219584ce3271450a10bc5da9620b2be2f","425ac5e30bd76eebfe7e8d2f449cd7687089ce3a")

    Detection Query 5

    sha256hash IN ("2ae73b23f9c89a4e19a6054f41a7542f90b5ff07bce78ddfaa71807303840d5c","144b0f7518727bca923eeb70791b51759a518633b5ed982fa16afcce3ed611ae")

    Reference: 

    https://securelist.com/sidewinder-apt/114089/ 

    https://www.rewterz.com/threat-advisory/sidewinder-apt-group-aka-rattlesnake-active-iocs-36754


    Tags

    MalwareAPTGovernment Services and FacilitiesRattlesnakeCyber Espionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.