BlackBerry reveals new cyber-espionage campaign by SideWinder

BlackBerry's Threat Research and Intelligence team has identified a new cyber-espionage campaign by the threat actor SideWinder. This operation is reportedly targeting ports and maritime facilities situated in both the Indian Ocean and the Mediterranean Sea. The objectives of this campaign are believed to be espionage and intelligence gathering.

The company's analysts noted that SideWinder has upgraded its infrastructure, employing new techniques and tactics since the last report on the group in mid-2023. The group's modus operandi involves sending spear-phishing emails containing malicious documents designed to lure victims. These documents often mimic official communications from recognisable organisations, aiming to trick targets into opening them.

The research uncovered that highly specific logos and themes are used in the phishing emails linked to SideWinder's operations. "We observed falsified visual bait documents that claimed to be associated with very specific port infrastructure, including the Port of Alexandria in the Mediterranean Sea," the team noted. They also observed documents masquerading as communications from the Port Authority of the Red Sea.

The evidence suggests that SideWinder's campaign targets multiple regions. Domains and documents linked to the initial stage imply a focus on Pakistan, Egypt, and Sri Lanka. Furthermore, subdomains associated with the second stage indicate additional targets including Bangladesh, Myanmar, Nepal, and the Maldives.

The group employs a variety of methods to bypass detection, including the use of email spear-phishing, document exploitation, and DLL side-loading techniques. The attack usually begins with the victim downloading a malicious document, which has minimal detection rates on VirusTotal, and then opening it to initiate the next stage of the attack. The malicious files often utilise remote template injection techniques, exploiting known vulnerabilities such as CVE-2017-0199 in Microsoft Office.

SideWinder’s newly identified second-stage command-and-control infrastructure involves an old Tor node, hinting at sophisticated measures to obfuscate network analysis. Multiple domains have been identified that mirror the naming structures used by SideWinder, showing a consistent pattern in their malicious campaigns.

The analysis also highlighted the use of highly emotive visual decoys to distract recipients. For example, documents included alarming phrases like "employee termination" and "salary cut," designed to provoke anxiety and prompt immediate action from victims.

"Threat actors hope that by eliciting strong emotions such as fear or anxiety, the target will be compelled to immediately open and read the document," the BlackBerry team explained. This tactic increases the likelihood of the malware being executed without the victim noticing unusual activity on their system.

Technical investigations revealed that the malicious files delivered by SideWinder often contain RTF (Rich Text Format) documents exploiting vulnerabilities to execute shellcode. This shellcode checks the victim’s system specifications to ensure it is not being run in a virtual environment before proceeding to execute further stages of the malware.

The report also detailed the domain and IP infrastructure leveraged for these attacks. Various domains, including ones spoofing official naval and governmental websites, were found to be part of SideWinder's toolkit.

BlackBerry's Threat Research and Intelligence team is continuously monitoring the activities of SideWinder and offers several countermeasures for organisations. These include keeping systems updated with the latest security patches, conducting phishing awareness training, implementing advanced email filtering solutions, and deploying advanced threat detection and response tools.