Maritime organizations and nuclear energy entities, especially in South Asia, have been increasingly subjected to attacks by suspected Indian state-sponsored advanced persistent threat operation Sidewinder, indicating the group's evolution in targeting after predominantly attacking Chinese, Pakistani, Sri Lankan, and African government and military organizations, The Register reports.
Intrusions conducted by Sidewinder continued to involve the deployment of spear-phishing emails with a DOCX file downloading an RTF file that leverages the Microsoft Office memory corruption vulnerability, tracked as CVE-2017-11882, to deliver the continuously improved Backdoor Loader spreading the StealerBot payload, according to an analysis from Kaspersky.
Despite its dependence on phishing and an old security flaw, Sidewinder has been regarded by Kaspersky researchers to be a sophisticated threat group.
"Sidewinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government. We know [of] the group's software development capabilities, which became evident when we observed how quickly they could deliver updated versions of their tools to evade detection, often within hours," researchers added.
