Skip to content

G0121 Sidewinder

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.123

Item Value
ID G0121
Associated Names T-APT-04, Rattlesnake
Version 1.0
Created 27 January 2021
Last Modified 21 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
T-APT-04 3
Rattlesnake 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Sidewinder has used HTTP in C2 communications.145
enterprise T1119 Automated Collection Sidewinder has used tools to automatically collect system and network configuration information.1
enterprise T1020 Automated Exfiltration Sidewinder has configured tools to automatically send collected files to attacker controlled servers.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Sidewinder has added paths to executables in the Registry to establish persistence.453
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Sidewinder has used PowerShell to drop and execute malware loaders.1
enterprise T1059.005 Visual Basic Sidewinder has used VBScript to drop and execute malware loaders.1
enterprise T1059.007 JavaScript Sidewinder has used JavaScript to drop and execute malware loaders.15
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.1
enterprise T1203 Exploitation for Client Execution Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.13
enterprise T1083 File and Directory Discovery Sidewinder has used malware to collect information on files and directories.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.1
enterprise T1105 Ingress Tool Transfer Sidewinder has used LNK files to download remote files to the victim’s network.13
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.45
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.5
enterprise T1027 Obfuscated Files or Information Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files.143
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.1
enterprise T1566.002 Spearphishing Link Sidewinder has sent e-mails with malicious links often crafted for specific targets.13
enterprise T1598 Phishing for Information -
enterprise T1598.002 Spearphishing Attachment Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.143
enterprise T1598.003 Spearphishing Link Sidewinder has sent e-mails with malicious links to credential harvesting websites.1
enterprise T1057 Process Discovery Sidewinder has used tools to identify running processes on the victim’s machine.1
enterprise T1518 Software Discovery Sidewinder has used tools to enumerate software installed on an infected host.14
enterprise T1518.001 Security Software Discovery Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Sidewinder has used mshta.exe to execute malicious payloads.45
enterprise T1082 System Information Discovery Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.15
enterprise T1016 System Network Configuration Discovery Sidewinder has used malware to collect information on network interfaces, including the MAC address.1
enterprise T1033 System Owner/User Discovery Sidewinder has used tools to identify the user of a compromised host.1
enterprise T1124 System Time Discovery Sidewinder has used tools to obtain the current system time.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Sidewinder has lured targets to click on malicious links to gain execution in the target environment.1453
enterprise T1204.002 Malicious File Sidewinder has lured targets to click on malicious files to gain execution in the target environment.1453

Software

ID Name References Techniques
S0250 Koadic - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Asymmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Window:Hide Artifacts Ingress Tool Transfer Network Service Discovery Network Share Discovery Security Account Manager:OS Credential Dumping NTDS:OS Credential Dumping Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution Regsvr32:System Binary Proxy Execution Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Service Execution:System Services Windows Management Instrumentation

References

Back to top