On twitter this weekend,@Timele9527 thought to found a new instance of APT Sidewinder. https://twitter.com/Timele9527/status/1147750939576586244
After different analyses, It’s not APT Sidewinder.
The execution of the dropper: https://app.any.run/tasks/487b8762-997a-4d68-9072-1111b99967cf
The dropper uses the same techniques:
- Downloading HTA
- Decode backdoor and drops files in the %TEMP%
- Use the same name “prebothta”
- Use the same name of dll for the sideloading and the same legit software
But many things are completely different.
First thing the droppers downloads the HTA file in vidyasagaracademybrg.in.
This website is an academic location.
After verification on Google Earth, this location exists really.
Or Sidewinder is linked to the India. It’s very strange for this group to compromise website an Indian school to target Afghanistan People.
I think it’s not a fake website: https://www.facebook.com/197655951060181/posts/httpwwwvidyasagaracademybrgindefaultaspx/197663174392792/
The second way, it’s the nomenclature of name. Usually, Sidewinder uses domains near of cdn names.
The protocols of the hta file and the backdoor is completely differents.
The backdoor used a text protocol without encryption
The id of the victim is in the protocol unusual.
Or Sidewinder use HTTP protocol for example:
for the HTA if all checks are ok:
and the backdoor:
GET /ESmDEr7MDJw1r9jR9O4XGAVcBgCCySlZdmV3WU1J/17285/93/77223451/css HTTP/1.1
The first stage of Sidewinder uses RTF exploits not an LNK in a Rar file.
Another thing is the persistence with .bat, usually it’s the RTF exploit which create a Run Key.
The side loading loads duser.dll which executes an exe itstr.exe coded in delphi which is the backdoor.
The lasted instance of Sidewinder the backdoor was written in C++ and his old backdoor was coded in VB6.
This backdoor is executed in FUN_10001100
And this function is called by the dllmain.
Usually, Sidewinder uses a dll like backdoor not a executable file.
In the sequence of installation of the backdoor, this attack don’t use .NET serialization and it’s an important feature of the Sidewinder.
About the Backdoor
The backdoor used is Allakore_Remote. It’s an opensource software written in Delphi.
We found the same protocol.
In this file https://github.com/Grampinha/AllaKore_Remote/blob/master/Source/Client/Form_Main.pas we found many strings in the function FUN_0062ae18.
Sidewinder don’t use open source usually.
This attack is against Afghanistan and the society participate at the conference of ICC at Paris
Sidewinder usually targets gov or military organization of Pakistan.
Main object- “3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244”
ssdeep_parts [object Object]
Dropped executable file
C:\Users\admin\AppData\Local\Temp\Windows Cleaner\itstr.exe 26ca6af15ff8273733a6a386a482357256ac4373a8641e486fb646bc9c525afa