10 December 20, 13:17
Quote:The SideWinder advanced persistent threat (APT) group has mounted a fresh phishing and malware initiative, using recent territory disputes between China, India, Nepal and Pakistan as lures. The goal is to gather sensitive information from its targets, mainly located in Nepal and Afghanistan.
According to an analysis, SideWinder typically targets victims in South Asia and surroundings – and this latest campaign is no exception. The targets here include multiple government and military units for countries in the region researchers said, including the Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan and more.
The effort mainly makes use of legitimate-looking webmail login pages, aimed at harvesting credentials. Researchers from Trend Micro said that these pages were copied from their victims’ actual webmail login pages and subsequently modified for phishing. For example, “mail-nepalgovnp[.]duckdns[.]org” was created to pretend to be the actual Nepal government’s domain, “mail[.]nepal[.]gov[.]np”.
Interestingly, after credentials are siphoned off and the users “log in,” they are either sent to the legitimate login pages; or, they are redirected to different documents or news pages, related either to COVID-19 or political fodder.
Researchers said some of the pages include a May article entitled “India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh” and a document called “Ambassador Yanchi Conversation with Nepali_Media.pdf,” which provides an interview with China’s ambassador to Nepal regarding Covid-19, the Belt and Road Initiative, and territorial issues in the Humla district.
The campaign also includes a malware element, with malicious documents delivered via email that are bent on installing a cyberespionage-aimed backdoor. And, there was evidence that the group is planning a mobile launch to compromise wireless devices.
“We identified a server used to deliver a malicious .lnk file and host multiple credential-phishing pages,” wrote researchers, in a Wednesday posting. “We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit.”
Read more: https://threatpost.com/sidewinder-apt-ne...gn/162086/