Numerous high-profile organizations, including government and military entities, financial companies, and telecommunications firms, across Asia and Africa have been subjected to expanded intrusions by suspected Indian state-backed advanced persistent threat operation SideWinder, also known as APT-C-17, Rattlesnake, and T-APT-04, according to The Hacker News.
Attacks by SideWinder begin with the delivery of spear-phishing emails with a malicious LNK file-containing ZIP file or Office document, which triggers a multi-stage infection chain involving JavaScript malware and the Backdoor loader module that ultimately results in the deployment of the sophisticated .NET-based StealerBot payload, a report from Kaspersky showed. Aside from allowing screenshot capturing, keystroke logging, browser password exfiltration, and file theft, StealerBot also enables remote desktop credential compromise, Windows credential phishing, and further malware injections. "[SideWinder] may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations," said Kaspersky.