SideWinder APT Group aka Rattlesnake

    Date: 10/16/2024

    Severity: Medium

    Summary

    SideWinder APT Group (aka Rattlesnake) - Active since 2012 and publicly identified in 2018, the SideWinder APT group has conducted numerous attacks primarily targeting military and government entities in South and Southeast Asia, including Pakistan, Sri Lanka, China, and Nepal. Initially perceived as low-skilled due to their use of public exploits and tools, their true capabilities emerge upon closer examination of their operations. Recently, they have expanded their focus to high-profile entities and strategic infrastructures in the Middle East and Africa. Notably, a new post-exploitation toolkit named "StealerBot" has been discovered, which is believed to be a key tool for their espionage activities.

    Indicators of Compromise (IOC) List

    URL/Domain

    126-com.live

    163inc.com

    afmat.tech

    alit.live

    aliyum.tech

    aliyumm.tech

    asyn.info

    ausibedu.org

    bol-south.org

    cnsa-gov.org

    colot.info

    comptes.tech

    condet.org

    conft.live

    dafpak.org

    decoty.tech

    defenec.net

    defpak.org

    detru.info

    dgps-govpk.co

    dgps-govpk.com

    dinfed.co

    dirctt88.co

    dirctt88.net

    direct888.net

    direct88.co

    directt888.com

    donwload-file.com

    donwloaded.com

    donwloaded.net

    dowmload.net

    downld.net

    download-file.net

    downloadabledocx.com

    dynat.tech

    dytt88.org

    e1ix.mov

    e1x.tech

    fia-gov.com

    fia-gov.net

    gov-govpk.info

    govpk.info

    govpk.net

    grouit.tech

    gtrec.info

    healththebest.com

    jmicc.xyz

    kernet.info

    kretic.info

    lforvk.com

    mfa-gov.info

    mfa-gov.net

    mfa-govt.net

    mfacom.org

    mfagov.org

    mfas.pro

    mitlec.site

    mod-gov-pk.live

    mofa.email

    mofagovs.org

    moittpk.net

    moittpk.org

    mshealthcheck.live

    nactagovpk.org

    navy-mil.co

    newmofa.com

    newoutlook.live

    nopler.live

    ntcpak.live

    ntcpak.org

    ntcpk.info

    ntcpk.net

    numpy.info

    numzy.net

    nventic.info

    office-drive.live

    pafgovt.com

    paknavy-gov.org

    paknavy-govpk.info

    paknavy-govpk.net

    pdfrdr-update.com

    pdfrdr-update.info

    pmd-office.com

    pmd-office.live

    pmd-office.org

    ptcl-net.com

    scrabt.tech

    shipping-policy.info

    sjfu-edu.co

    support-update.info

    tazze.co

    tex-ideas.info

    tni-mil.com

    tsinghua-edu.tech

    tumet.info

    u1x.co

    ujsen.net

    update-govpk.co

    updtesession.online

    widge.info

    Hash

    28b37d4beb11f070bab8374ffbf3b96a
    
    176680c356cfbba86fa7927ce1f03462
    
    6cf6d55a3968e2176db2bba2134bbe94
    
    c87eb71ff038df7b517644fa5c097eac
    
    8202209354ece5c53648c52bdbd064f0
    
    5cc784afb69c153ab325266e8a7afaf4
    
    3a6916192106ae3ac7e55bd357bc5eee
    
    54aadadcf77dec53b2566fe61b034384
    
    8f83d19c2efc062e8983bce83062c9b6
    
    8e8b61e5fb6f6792f2bee0ec947f1989
    
    86eeb037f5669bff655de1e08199a554
    
    1c36177ac4423129e301c5a40247f180
    
    873079cd3e635adb609c38af71bad702
    
    423e150d91edc568546f0d2f064a8bf1
    
    4a5e818178f9b2dc48839a5dbe0e3cc1
    
    26aa30505d8358ebeb5ee15aecb1cbb0
    
    3233db78e37302b47436b550a21cdaf9
    
    8d7c43913eba26f96cd656966c1e26d5
    
    d0d1fba6bb7be933889ace0d6955a1d7
    
    e706fc65f433e54538a3dbb1c359d75f
    
    412b6ac53aeadb08449e41dccffb1abe
    
    2f4ba98dcd45e59fca488f436ab13501
    
    b69867ee5b9581687cef96e873b775ff
    
    c3ce4094b3411060928143f63701aa2e
    
    e1bdfa55227d37a71cdc248dc9512296
    
    ea4b3f023bac3ad1a982cace9a6eafc3
    
    44dbdd87b60c20b22d2a7926ad2d7bea
    
    7e97cbf25eef7fc79828c033049822af
    
    101a63ecdd8c68434c665bf2b1d3ffc7
    
    d885df399fc9f6c80e2df0c290414c2f
    
    92dd91a5e3dfb6260e13c8033b729e03
    
    515d2d6f91ba4b76847301855dfc0e83
    
    3ede84d84c02aa7483eb734776a20dea
    
    2011658436a7b04935c06f59a5db7161
    
    3a036a1846bfeceb615101b10c7c910e
    
    47f51c7f31ab4a0d91a0f4c07b2f99d7
    
    f3058ac120a2ae7807f36899e27784ea
    
    0fbb71525d65f0196a9bfbffea285b18
    
    1ed7ad166567c46f71dc703e55d31c7a
    
    2f0e150e3d6dbb1624c727d1a641e754
    
    bf16760ee49742225fdb2a73c1bd83c7
    
    b3650a88a50108873fc45ad3c249671a
    
    4c40fcb2a12f171533fc070464db96d1
    
    eef9c0a9e364b4516a83a92592ffc831
    
    1be93704870afd0b22a4475014f199c3
    
    f840c721e533c05d152d2bc7bf1bc165
    
    5718c0d69939284ce4f6e0ce580958df
    
    c14223c219584ce3271450a10bc5da9620b2be2f
    
    425ac5e30bd76eebfe7e8d2f449cd7687089ce3a
    
    144b0f7518727bca923eeb70791b51759a518633b5ed982fa16afcce3ed611ae
    
    2ae73b23f9c89a4e19a6054f41a7542f90b5ff07bce78ddfaa71807303840d5c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "paknavy-gov.org" or url like "paknavy-gov.org" or userdomainname like "pmd-office.org" or url like "pmd-office.org" or userdomainname like "afmat.tech" or url like "afmat.tech" or userdomainname like "paknavy-govpk.net" or url like "paknavy-govpk.net" or userdomainname like "sjfu-edu.co" or url like "sjfu-edu.co" or userdomainname like "126-com.live" or url like "126-com.live" or userdomainname like "moittpk.org" or url like "moittpk.org" or userdomainname like "pafgovt.com" or url like "pafgovt.com" or userdomainname like "mfagov.org" or url like "mfagov.org" or userdomainname like "tsinghua-edu.tech" or url like "tsinghua-edu.tech" or userdomainname like "dirctt88.net" or url like "dirctt88.net" or userdomainname like "gov-govpk.info" or url like "gov-govpk.info" or userdomainname like "163inc.com" or url like "163inc.com" or userdomainname like "fia-gov.net" or url like "fia-gov.net" or userdomainname like "jmicc.xyz" or url like "jmicc.xyz" or userdomainname like "defpak.org" or url like "defpak.org" or userdomainname like "mitlec.site" or url like "mitlec.site" or userdomainname like "dirctt88.co" or url like "dirctt88.co" or userdomainname like "newmofa.com" or url like "newmofa.com" or userdomainname like "updtesession.online" or url like "updtesession.online" or userdomainname like "numpy.info" or url like "numpy.info" or userdomainname like "aliyumm.tech" or url like "aliyumm.tech" or userdomainname like "donwload-file.com" or url like "donwload-file.com" or userdomainname like "donwloaded.com" or url like "donwloaded.com" or userdomainname like "mfa-gov.net" or url like "mfa-gov.net" or userdomainname like "ntcpak.live" or url like "ntcpak.live" or userdomainname like "lforvk.com" or url like "lforvk.com" or userdomainname like "u1x.co" or url like "u1x.co" or userdomainname like "direct888.net" or url like "direct888.net" or userdomainname like "ntcpk.net" or url like "ntcpk.net" or userdomainname like "condet.org" or url like "condet.org" or userdomainname like "healththebest.com" or url like "healththebest.com" or userdomainname like "defenec.net" or url like "defenec.net" or userdomainname like "bol-south.org" or url like "bol-south.org" or userdomainname like "dytt88.org" or url like "dytt88.org" or userdomainname like "mfa-gov.info" or url like "mfa-gov.info" or userdomainname like "mfa-govt.net" or url like "mfa-govt.net" or userdomainname like "mfas.pro" or url like "mfas.pro" or userdomainname like "moittpk.net" or url like "moittpk.net" or userdomainname like "detru.info" or url like "detru.info" or userdomainname like "gtrec.info" or url like "gtrec.info" or userdomainname like "newoutlook.live" or url like "newoutlook.live" or userdomainname like "tni-mil.com" or url like "tni-mil.com" or userdomainname like "grouit.tech" or url like "grouit.tech" or userdomainname like "download-file.net" or url like "download-file.net" or userdomainname like "downloadabledocx.com" or url like "downloadabledocx.com" or userdomainname like "pmd-office.live" or url like "pmd-office.live" or userdomainname like "paknavy-govpk.info" or url like "paknavy-govpk.info" or userdomainname like "ausibedu.org" or url like "ausibedu.org" or userdomainname like "support-update.info" or url like "support-update.info" or userdomainname like "govpk.info" or url like "govpk.info" or userdomainname like "mod-gov-pk.live" or url like "mod-gov-pk.live" or userdomainname like "nactagovpk.org" or url like "nactagovpk.org" or userdomainname like "comptes.tech" or url like "comptes.tech" or userdomainname like "dinfed.co" or url like "dinfed.co" or userdomainname like "dowmload.net" or url like "dowmload.net" or userdomainname like "dgps-govpk.co" or url like "dgps-govpk.co" or userdomainname like "fia-gov.com" or url like "fia-gov.com" or userdomainname like "dynat.tech" or url like "dynat.tech" or userdomainname like "pmd-office.com" or url like "pmd-office.com" or userdomainname like "shipping-policy.info" or url like "shipping-policy.info" or userdomainname like "widge.info" or url like "widge.info" or userdomainname like "tumet.info" or url like "tumet.info" or userdomainname like "donwloaded.net" or url like "donwloaded.net" or userdomainname like "asyn.info" or url like "asyn.info" or userdomainname like "nventic.info" or url like "nventic.info" or userdomainname like "mshealthcheck.live" or url like "mshealthcheck.live" or userdomainname like "pdfrdr-update.info" or url like "pdfrdr-update.info"

    Detection Query 2

    userdomainname like "alit.live" or url like "alit.live" or userdomainname like "aliyum.tech" or url like "aliyum.tech" or userdomainname like "cnsa-gov.org" or url like "cnsa-gov.org" or userdomainname like "colot.info" or url like "colot.info" or userdomainname like "conft.live" or url like "conft.live" or userdomainname like "dafpak.org" or url like "dafpak.org" or userdomainname like "decoty.tech" or url like "decoty.tech" or userdomainname like "dgps-govpk.com" or url like "dgps-govpk.com" or userdomainname like "direct88.co" or url like "direct88.co" or userdomainname like "directt888.com" or url like "directt888.com" or userdomainname like "downld.net" or url like "downld.net" or userdomainname like "e1ix.mov" or url like "e1ix.mov" or userdomainname like "e1x.tech" or url like "e1x.tech" or userdomainname like "govpk.net" or url like "govpk.net" or userdomainname like "kernet.info" or url like "kernet.info" or userdomainname like "kretic.info" or url like "kretic.info" or userdomainname like "mfacom.org" or url like "mfacom.org" or userdomainname like "mofa.email" or url like "mofa.email" or userdomainname like "mofagovs.org" or url like "mofagovs.org" or userdomainname like "navy-mil.co" or url like "navy-mil.co" or userdomainname like "nopler.live" or url like "nopler.live" or userdomainname like "ntcpak.org" or url like "ntcpak.org" or userdomainname like "ntcpk.info" or url like "ntcpk.info" or userdomainname like "numzy.net" or url like "numzy.net" or userdomainname like "office-drive.live" or url like "office-drive.live" or userdomainname like "pdfrdr-update.com" or url like "pdfrdr-update.com" or userdomainname like "ptcl-net.com" or url like "ptcl-net.com" or userdomainname like "scrabt.tech" or url like "scrabt.tech" or userdomainname like "tazze.co" or url like "tazze.co" or userdomainname like "tex-ideas.info" or url like "tex-ideas.info" or userdomainname like "ujsen.net" or url like "ujsen.net" or userdomainname like "update-govpk.co" or url like "update-govpk.co"

    Detection Query 3

    md5hash IN ("f840c721e533c05d152d2bc7bf1bc165","ea4b3f023bac3ad1a982cace9a6eafc3","28b37d4beb11f070bab8374ffbf3b96a","101a63ecdd8c68434c665bf2b1d3ffc7","d885df399fc9f6c80e2df0c290414c2f","92dd91a5e3dfb6260e13c8033b729e03","5718c0d69939284ce4f6e0ce580958df","423e150d91edc568546f0d2f064a8bf1","26aa30505d8358ebeb5ee15aecb1cbb0","4a5e818178f9b2dc48839a5dbe0e3cc1","8e8b61e5fb6f6792f2bee0ec947f1989","c3ce4094b3411060928143f63701aa2e","e706fc65f433e54538a3dbb1c359d75f","3a6916192106ae3ac7e55bd357bc5eee","8f83d19c2efc062e8983bce83062c9b6","515d2d6f91ba4b76847301855dfc0e83","8202209354ece5c53648c52bdbd064f0","6cf6d55a3968e2176db2bba2134bbe94","e1bdfa55227d37a71cdc248dc9512296","873079cd3e635adb609c38af71bad702","54aadadcf77dec53b2566fe61b034384","d0d1fba6bb7be933889ace0d6955a1d7","8d7c43913eba26f96cd656966c1e26d5","c87eb71ff038df7b517644fa5c097eac","176680c356cfbba86fa7927ce1f03462","412b6ac53aeadb08449e41dccffb1abe","44dbdd87b60c20b22d2a7926ad2d7bea","5cc784afb69c153ab325266e8a7afaf4","86eeb037f5669bff655de1e08199a554","1c36177ac4423129e301c5a40247f180","3233db78e37302b47436b550a21cdaf9","2f4ba98dcd45e59fca488f436ab13501","b69867ee5b9581687cef96e873b775ff","7e97cbf25eef7fc79828c033049822af","3ede84d84c02aa7483eb734776a20dea","2011658436a7b04935c06f59a5db7161","3a036a1846bfeceb615101b10c7c910e","47f51c7f31ab4a0d91a0f4c07b2f99d7","f3058ac120a2ae7807f36899e27784ea","0fbb71525d65f0196a9bfbffea285b18","1ed7ad166567c46f71dc703e55d31c7a","2f0e150e3d6dbb1624c727d1a641e754","bf16760ee49742225fdb2a73c1bd83c7","b3650a88a50108873fc45ad3c249671a","4c40fcb2a12f171533fc070464db96d1","eef9c0a9e364b4516a83a92592ffc831","1be93704870afd0b22a4475014f199c3")

    Detection Query 4

    sha1hash IN ("c14223c219584ce3271450a10bc5da9620b2be2f","425ac5e30bd76eebfe7e8d2f449cd7687089ce3a")

    Detection Query 5

    sha256hash IN ("2ae73b23f9c89a4e19a6054f41a7542f90b5ff07bce78ddfaa71807303840d5c","144b0f7518727bca923eeb70791b51759a518633b5ed982fa16afcce3ed611ae")

    Reference: 

    https://securelist.com/sidewinder-apt/114089/ 

    https://www.rewterz.com/threat-advisory/sidewinder-apt-group-aka-rattlesnake-active-iocs-36754


    Tags

    MalwareAPTGovernment Services and FacilitiesRattlesnakeCyber Espionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags