Sidewinder
Associated Group Descriptions |
|
Name | Description |
---|---|
T-APT-04 | (Citation: Cyble Sidewinder September 2020) |
Rattlesnake | (Citation: Cyble Sidewinder September 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sidewinder has used HTTP in C2 communications.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Sidewinder has added paths to executables in the Registry to establish persistence.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Sidewinder has used PowerShell to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021) |
.005 | Command and Scripting Interpreter: Visual Basic |
Sidewinder has used VBScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Sidewinder has used JavaScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.(Citation: ATT Sidewinder January 2021) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Sidewinder has named malicious files |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Sidewinder has used base64 encoding for scripts.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.(Citation: ATT Sidewinder January 2021) |
.002 | Phishing: Spearphishing Link |
Sidewinder has sent e-mails with malicious links often crafted for specific targets.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020) |
||
Enterprise | T1598 | .002 | Phishing for Information: Spearphishing Attachment |
Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020) |
.003 | Phishing for Information: Spearphishing Link |
Sidewinder has sent e-mails with malicious links to credential harvesting websites.(Citation: ATT Sidewinder January 2021) |
||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Sidewinder has used the Windows service |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Sidewinder has used |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Sidewinder has lured targets to click on malicious links to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020) |
.002 | User Execution: Malicious File |
Sidewinder has lured targets to click on malicious files to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S0250 | Koadic | (Citation: ATT Sidewinder January 2021) (Citation: Github Koadic) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Palo Alto Sofacy 06-2018) | System Network Configuration Discovery, System Information Discovery, Visual Basic, Mshta, Dynamic-link Library Injection, Regsvr32, System Owner/User Discovery, Hidden Window, Security Account Manager, Ingress Tool Transfer, Web Protocols, Windows Management Instrumentation, PowerShell, Clipboard Data, Bypass User Account Control, Network Service Discovery, Remote Desktop Protocol, Windows Command Shell, File and Directory Discovery, Registry Run Keys / Startup Folder, NTDS, Service Execution, Data from Local System, Asymmetric Cryptography, Network Share Discovery, Rundll32, Scheduled Task |
References
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
- Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
- Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
- Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.