Free Phone Consultation For New Clients | CONTACT NOW

Analysis of SideWinder's New Infrastructure and Tool That Narrows Their Reach to Pakistan

Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.

SideWinder is a group of APT actors who were responsible for the attack on the Pakistani parliament in 2012, which resulted in the leak of over 25,000 National Assembly records. The attackers were also spotted conducting ongoing attacks against Indian and US diplomatic and military institutions.

However, due to lack of open-source information on the attacker’s infrastructure and tools, they are only known to have used a single malicious server with multiple domain names and hardcoded IP addresses.

Researchers at Group-IB have been investigating the new infrastructure and have discovered a custom tool which uses a domain name that is strikingly similar to the group’s old infrastructure, as well as several reg-file based droppers for both the Windows operating system and for Linux. The two domains are now used in conjunction with each other.

“The malicious payload has been packed into at least three different droppers: A Win32 binary, a Linux binary, and a custom Python script. These droppers appear to be used in conjunction with the newly discovered malicious infrastructure where they are used in the same way as before, by downloading and executing random shellcode.” reads the analysis published by Group-IB.

Need secure managed IT services in the Greenville, SC, area?