On twitter this weekend,@Timele9527 thought to found a new instance of APT Sidewinder. https://twitter.com/Timele9527/status/1147750939576586244
After different analyses, It’s not APT Sidewinder.
The execution of the dropper: https://app.any.run/tasks/487b8762-997a-4d68-9072-1111b99967cf
The dropper uses the same techniques:
- Downloading HTA
- Decode backdoor and drops files in the %TEMP%
- Use the same name “prebothta”
- Use the same name of dll for the sideloading and the same legit software
But many things are completely different.
Operating Mode
First thing the droppers downloads the HTA file in vidyasagaracademybrg.in.
This website is an academic location.
After verification on Google Earth, this location exists really.
Or Sidewinder is linked to the India. It’s very strange for this group to compromise website an Indian school to target Afghanistan People.
I think it’s not a fake website: https://www.facebook.com/197655951060181/posts/httpwwwvidyasagaracademybrgindefaultaspx/197663174392792/
Network
The second way, it’s the nomenclature of name. Usually, Sidewinder uses domains near of cdn names.
The protocols of the hta file and the backdoor is completely differents.
The backdoor used a text protocol without encryption
<|MAINSOCKET|><|ID|>760–858–340<|>6042<|END|><|PING|><|PONG|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|><|PING|><|PONG|><|SETPING|>62<|END|>
<|DESKTOPSOCKET|>760–858–340<|END|>
The id of the victim is in the protocol unusual.
Or Sidewinder use HTTP protocol for example:
for the HTA if all checks are ok:
GET /plugins/17285/93/true/true/
and the backdoor:
GET /ESmDEr7MDJw1r9jR9O4XGAVcBgCCySlZdmV3WU1J/17285/93/77223451/css HTTP/1.1
Execution
The first stage of Sidewinder uses RTF exploits not an LNK in a Rar file.
Another thing is the persistence with .bat, usually it’s the RTF exploit which create a Run Key.
The side loading loads duser.dll which executes an exe itstr.exe coded in delphi which is the backdoor.
The lasted instance of Sidewinder the backdoor was written in C++ and his old backdoor was coded in VB6.
This backdoor is executed in FUN_10001100
And this function is called by the dllmain.
Usually, Sidewinder uses a dll like backdoor not a executable file.
In the sequence of installation of the backdoor, this attack don’t use .NET serialization and it’s an important feature of the Sidewinder.
About the Backdoor
The backdoor used is Allakore_Remote. It’s an opensource software written in Delphi.
https://github.com/Grampinha/AllaKore_Remote
We found the same protocol.
In this file https://github.com/Grampinha/AllaKore_Remote/blob/master/Source/Client/Form_Main.pas we found many strings in the function FUN_0062ae18.
Sidewinder don’t use open source usually.
Threat Intelligence
This attack is against Afghanistan and the society participate at the conference of ICC at Paris
Sidewinder usually targets gov or military organization of Pakistan.
IOCs
Main object- “3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244”
ssdeep_parts [object Object]
sha256 3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244
sha1 2848db54d87006714309ce6a1c4ce92e5a29aab7
md5 7af11efe4454dab75ad2338124be149d
Dropped executable file
C:\ProgramData\dsk\credwiz.exe 17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf
C:\ProgramData\dsk\DUser.dll 709d548a42500b15db4b171711a31a2ab227f508f60d4cde670b2b9081ce56af
C:\Users\admin\AppData\Local\Temp\Windows Cleaner\itstr.exe 26ca6af15ff8273733a6a386a482357256ac4373a8641e486fb646bc9c525afa
domain vidyasagaracademybrg.in
ip 167.86.116.39
ip 143.95.251.24
HTTP/HTTPS requests
url http://vidyasagaracademybrg.in/scripts/lnk/comm/
url http://vidyasagaracademybrg.in/scripts/lnk/comm
url http://vidyasagaracademybrg.in/scripts/am/
url http://vidyasagaracademybrg.in/scripts/lnk/comm/comm.hta
url http://vidyasagaracademybrg.in/scripts/am/am_cy_167.hta
