The SideWinder APT group is expanding its attack operations into the Middle East and Africa utilising a previously unknown espionage toolkit called “StealerBot”, says Kaspersky’s Global Research and Analysis Team (GReAT).
As part of its ongoing monitoring of APT activities, Kaspersky discovered that recent campaigns by the SideWinder APT group were targeting high-profile entities and strategic infrastructures in various countries in the Middle East, Turkiye, as well as in Morocco and Djibouti in Africa. The campaign, in general, remains active and may target other victims.
SideWinder, also known as T-APT-04 or RattleSnake, is one of the most prolific APT groups that started operations in 2012. Over the years, it has primarily targeted military and government entities in Pakistan, Sri Lanka, China, and Nepal, as well as other sectors and countries in South and Southeast Asia. Recently, Kaspersky observed new waves of attacks which have expanded to impact high-profile entities and strategic infrastructure in the Middle East and Africa.
Besides the geographical expansion, Kaspersky discovered that SideWinder is using a previously unknown post-exploitation toolkit called “StealerBot”. This is an advanced modular implant designed specifically for espionage activities and currently used by the group as the main post-exploitation tool.
“In essence, StealerBot is a stealthy espionage tool that allows threat actors to spy on systems while avoiding easy detection,” says Giampaolo Dedola, lead security researcher at Kaspersky’s GReAT. “It operates through a modular structure with each component designed to perform a specific function. Notably, these modules never appear as files on the system’s hard drive, making them difficult to trace. Instead, they are loaded directly into the memory. At the core of StealerBot is the ‘Orchestrator’, which oversees the entire operation, communicating with the threat actor’s command-and-control server and coordinating the execution of its various modules.”
During its latest investigation, Kaspersky observed that StealerBot is performing a range of malicious activities such as installing additional malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, intercepting RDP (Remote Desktop Protocol) credentials, exfiltrating files, and more.
Kaspersky first reported on the group’s activities in 2018. This actor is known to rely on spear-phishing emails as its main infection method, containing malicious documents exploiting Office vulnerabilities and occasionally making use of LNK, HTML and HTA files that are contained in archives. The documents often contain information obtained from public websites which is used to lure the victim into opening the file and believing it to be legitimate.
Kaspersky observed several malware families being used within parallel campaigns, including both custom-made and modified, publicly available RATs.