#Sidewinder #APT

It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
A variant of this sample has attributed to #Sidewinder #APT by Govt. of Pak. The #malware is deployed using the shared image in a #phishing email using a similar methodology to that of Image
DOCX MD5: 2a6249bc69463921ada1e960e3eea589 Mech 8 ZIRC0N-TSIRK0N.doc
#Exploit: hashcheck[.]xyz/PY8997/yrql/plqs
RTF MD5: 7c11d5125c3fb167cca82ff8b539e3c7 plqs
#C2: sportfunk[.]xyz/topaz/foti
CVE-2017-11882 Image
#Sidewinder #APT uses the following #killchain in this attack. Image
Data Sent to C2
Name: @@PROCESSOR@@>Caption: Microsoft Windows 7 Professional >V:|||@@USER@@-@@HOSTNAME@@-@@guid??@@||||||@@[Two Char]|||[One digit]|||<<programfiles-folder>>?<<programfiles-folder>>?<<programfiles-folder>>?<<programfiles-folder>>?<<programfiles-folder>>?ÍÍÍÍÍÍÍÍÍ
AES-256 Implementation for comm with C2
Mode: CBC
Key: 56 de 87 34 db ec 2d 78 66 23 98 3b ce 77 73 8e
IV: 0a 0b 0c 0d 0e 0f 09 08 07 06 05 04 03 02 01 ab
#Sidewinder #APT skillset seems a bit better than that of other #Indian counterparts in that it uses COM objects to perform operations and undocumented Windows APIs and has much better phishing subjects.

rule SIDEWINDER_vtyrei_dll
author = "Will Lamiasi"
$h1 = {0a 0b 0c 0d 0e 0f 09 08 07 06 05 04 03 02 01 ab}
$h2 = {87 34 db ec 2d 78 66 23 98 3b ce 77 73 8e}
($h1 or $h2)
#Sidewinder #Vyrei #IOCs:

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with William Lamiasi

William Lamiasi Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!