Full Report
High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder. "The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content," Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas
Analysis Summary
# Threat Actor: SideWinder APT
## Attribution & Identity
Attributed to the threat actor known as SideWinder. The modus operandi is consistent with previous documented SideWinder attacks. The actor demonstrates consistent activity and organizational continuity.
## Activity Summary
Current campaign targets high-level government institutions in South Asia, specifically in **Sri Lanka, Bangladesh, and Pakistan**. The attacks leverage sophisticated spear-phishing emails with **geofenced payloads** to ensure only victims in specific target countries receive malicious content.
## Tactics, Techniques & Procedures
- Spear Phishing utilizing documents with geofenced payloads.
- Deployment of malware via exploitation of years-old Microsoft Office vulnerabilities.
- Initial exploitation targets **CVE-2017-0199** to deliver next-stage payloads.
- Subsequent execution uses **DLL side-loading** techniques to install malware.
- Further weaponization involves exploiting memory corruption vulnerability **CVE-2017-11882** (Equation Editor) to launch a shellcode-based loader.
- The actor seeks to maintain persistent access in government environments.
## Targeting
- Sectors: Government institutions (Ministries, Central Banks, Regulatory commissions).
- Geography: South Asia (specifically mentioned: Sri Lanka, Bangladesh, Pakistan).
- Victims:
- Bangladesh: Telecommunication Regulatory Commission, Ministry of Defence, Ministry of Finance.
- Pakistan: Directorate of Indigenous Technical Development.
- Sri Lanka: Department of External Resources, Department of Treasury Operations, Ministry of Defence, Central Bank.
## Tools & Infrastructure
- Malware families used: **StealerBot** (.NET implant).
- StealerBot Capabilities: Drop additional malware, launch a reverse shell, collect screenshots, keystrokes, passwords, and files.
- Infrastructure: Not explicitly detailed beyond the delivery mechanisms (RTF files, spear-phishing). Decoy technique used where an empty RTF file is sent if the IP address does not match the geofence criteria.
## Implications
SideWinder displays a high degree of control and precision, delivering payloads only to carefully selected targets, often for limited durations. The consistent pace of operations suggests sustained intent and organizational maturity. Targeting high-level government ministries indicates espionage objectives related to state secrets or policy information within South Asian countries. The reliance on old, known vulnerabilities (CVE-2017 series) suggests targets may have poor patch management compliance for legacy systems.
## Mitigations
- Patching and aggressively mitigating known vulnerabilities, specifically **CVE-2017-0199** and **CVE-2017-11882** in Microsoft Office.
- Implementing robust email filtering and security awareness training to counter spear-phishing lures related to official documents.
- Deploying advanced endpoint detection and response (EDR) capable of detecting DLL side-loading techniques.
- Network monitoring and segmentation to limit the blast radius should StealerBot establish persistence or a reverse shell, and to detect data exfiltration.
- Implementing geofencing or IP/location verification measures defensively, as the actor uses this to control access to the payload.