SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

    Tuesday, July 30, 2024 In: Threat Research Print

    Date: 07/29/2024

    Severity: High

    Summary

    The SideWinder APT group, also known as Razor Tiger, Rattlesnake, or T-APT-04, is suspected to be based in India and has been active since at least 2012. They target military, government, and business sectors, focusing mainly on Pakistan, Afghanistan, China, and Nepal. Their tactics include email spear-phishing, document exploitation, and DLL side-loading to evade detection. Victims often download a malicious document with minimal VirusTotal detection, which then activates further stages of the attack.

    Indicators of Compromise (IOC) List

        Domains\Urls

    dgps-govtpk.com

    direct888.net

    fia-gov.net

    ftp.mods.email

    gta5.mods.email

    heatwave.paknavy.store

    investigation04.session-out.com

    mailafdgovbd.mods.email

    mailarmylk.mods.email

    mailarmymilbd.mods.email

    mailforegngovmv.mods.email

    mailmofagovmm.mods.email

    mailmofagovmv.mods.email

    mailmofagovmv.mods.emailmailmofagovnp.mods.email

    mailmofagovnp.mods.email

    mailnepalarmymil.mods.email

    mailnepalarmymilnp.mods.email

    mods.email

    mofa-gov-sa.direct888.net

    moitt-gov-pk.fia-gov.net

    mora.pdfadobe.com

    paknavy-govpk.com

    paknavy.store

    pdfadobe.com

    reports.dgps-govtpk.com

    salary-cutting.session-out.com

    session-out.com

    http://investigation04.session-out.com/fbd901_harassment/doc.rtf

    https://mofa-gov-sa.direct888.net/015094_consulategz

    https://moitt-gov-pk.fia-gov.net/643705null

    https://moitt-gov-pk.fia-gov.net/720705null

    https://mora.pdfadobe.com/d8149d32/mora/doc.rtf

    https://reports.dgps-govtpk.com/63645534-case/doc.rtf

      IP Address 

    91.195.240.123

      Hash 

    2462db3be57df824f003f74d7a16cacb

3233db78e37302b47436b550a21cdaf9

379edeaa9ed92ebe6091177417b2c751

8d7c43913eba26f96cd656966c1e26d5

9345d52abd5bab4320c1273eb2c90161

9a1c49322a9d950c047c2edfc781b778

C60b41f0981f617fa83a73704a10e147

e0bce049c71bc81afe172cd30be4d2b7

006e5fe0c01712391c54319a9d1579d7208f3cfa9f49fe56a14d93f0d0e8928b

142c6a4c7e9efbf6f3176df3ff218449bb4f7b2a69d60060e6339f1c3cc95d93

512a83f1a6c404cb0ba679c7a2f3aa782bb5e17840d31a034de233f7500a6cb9

613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a

9572312a12605c6a6ea6447af6fc063f4196aeba523ed38ce2c5ff51c33d4831

9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a

b72ac58d599e6e1080251b1ac45a521b33c08d7d129828a4e82a7095e9f93e53

ceb93ee3093dbf1a49918ede81055018d9c0f0945a97f904a16951010cfbce61

e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls Query 1 : 

    userdomainname like "https://mofa-gov-sa.direct888.net/015094_consulategz" or url like "https://mofa-gov-sa.direct888.net/015094_consulategz" or userdomainname like "https://reports.dgps-govtpk.com/63645534-case/doc.rtf" or url like "https://reports.dgps-govtpk.com/63645534-case/doc.rtf" or userdomainname like "mailafdgovbd.mods.email" or url like "mailafdgovbd.mods.email" or userdomainname like "direct888.net" or url like "direct888.net" or userdomainname like "mailarmymilbd.mods.email" or url like "mailarmymilbd.mods.email" or userdomainname like "http://investigation04.session-out.com/fbd901_harassment/doc.rtf" or url like "http://investigation04.session-out.com/fbd901_harassment/doc.rtf" or userdomainname like "heatwave.paknavy.store" or url like "heatwave.paknavy.store" or userdomainname like "mailarmylk.mods.email" or url like "mailarmylk.mods.email" or userdomainname like "dgps-govtpk.com" or url like "dgps-govtpk.com" or userdomainname like "fia-gov.net" or url like "fia-gov.net" or userdomainname like "https://moitt-gov-pk.fia-gov.net/720705null" or url like "https://moitt-gov-pk.fia-gov.net/720705null" or userdomainname like "gta5.mods.email" or url like "gta5.mods.email" or userdomainname like "ftp.mods.email" or url like "ftp.mods.email" or userdomainname like "https://moitt-gov-pk.fia-gov.net/643705null" or url like "https://moitt-gov-pk.fia-gov.net/643705null" or userdomainname like "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf" or url like "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf"

    Domains\Urls Query 2 : 

    userdomainname like "mods.email" or url like "mods.email" or userdomainname like "moitt-gov-pk.fia-gov.net" or url like "moitt-gov-pk.fia-gov.net" or userdomainname like "reports.dgps-govtpk.com" or url like "reports.dgps-govtpk.com" or userdomainname like "paknavy-govpk.com" or url like "paknavy-govpk.com" or userdomainname like "paknavy.store" or url like "paknavy.store" or userdomainname like "mailforegngovmv.mods.email" or url like "mailforegngovmv.mods.email" or userdomainname like "mailmofagovmm.mods.email" or url like "mailmofagovmm.mods.email" or userdomainname like "mora.pdfadobe.com" or url like "mora.pdfadobe.com" or userdomainname like "mailmofagovnp.mods.email" or url like "mailmofagovnp.mods.email" or userdomainname like "pdfadobe.com" or url like "pdfadobe.com" or userdomainname like "mailnepalarmymil.mods.email" or url like "mailnepalarmymil.mods.email" or userdomainname like "mailmofagovmv.mods.email" or url like "mailmofagovmv.mods.email" or userdomainname like "mailnepalarmymilnp.mods.email" or url like "mailnepalarmymilnp.mods.email" or userdomainname like "mofa-gov-sa.direct888.net" or url like "mofa-gov-sa.direct888.net" or userdomainname like "mailmofagovmv.mods.emailmailmofagovnp.mods.email" or url like "mailmofagovmv.mods.emailmailmofagovnp.mods.email" or userdomainname like "salary-cutting.session-out.com" or url like "salary-cutting.session-out.com" or userdomainname like "session-out.com" or url like "session-out.com"

    IP Address 

    dstipaddress IN ("91.195.240.123") or ipaddress IN ("91.195.240.123") or publicipaddress IN ("91.195.240.123") or srcipaddress IN ("91.195.240.123")

    Hash 

    md5hash IN ("9a1c49322a9d950c047c2edfc781b778","2462db3be57df824f003f74d7a16cacb","9345d52abd5bab4320c1273eb2c90161","c60b41f0981f617fa83a73704a10e147","3233db78e37302b47436b550a21cdaf9","e0bce049c71bc81afe172cd30be4d2b7","8d7c43913eba26f96cd656966c1e26d5","d0d1fba6bb7be933889ace0d6955a1d7","379edeaa9ed92ebe6091177417b2c751")

sha256hash IN ("ceb93ee3093dbf1a49918ede81055018d9c0f0945a97f904a16951010cfbce61","9572312a12605c6a6ea6447af6fc063f4196aeba523ed38ce2c5ff51c33d4831","512a83f1a6c404cb0ba679c7a2f3aa782bb5e17840d31a034de233f7500a6cb9","e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d","142c6a4c7e9efbf6f3176df3ff218449bb4f7b2a69d60060e6339f1c3cc95d93","006e5fe0c01712391c54319a9d1579d7208f3cfa9f49fe56a14d93f0d0e8928b","9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a","b72ac58d599e6e1080251b1ac45a521b33c08d7d129828a4e82a7095e9f93e53","613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a")

    Reference:

    https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea 

     

     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.