The Sidewinder group has recently embarked on a new cyberspic campaign targeting public buildings throughout South Asia, with departments in Sri Lanka, Bangladesh, and Pakistan being affected by the attacks. According to Acronis, the attacks began with phishing emails containing malicious attachments. These attachments would only execute among recipients from the targeted countries, and in other cases, an empty file would be opened.
To infect systems, the attackers exploited known vulnerabilities in Microsoft Office, specifically CVE-2017-0199 and CVE-2017-11882. Opening these documents triggered the installation of a malicious tool called Stealerbot, which operates on .NET and is capable of collecting sensitive information such as screenshots, keystrokes, passwords, and files. The malware can also give control to the attacker through a reverse shell and spread by modifying DLL libraries to evade detection.
The targets of these attacks included ministries of defense, finance, central banks, and telecom regulators. The geofiltering of the attacks and the specific timeframes for activity suggest a deliberate and targeted strategy. The Sidewinder group’s consistent activity, with minimal breaks, indicates a structured and motivated operation.
Previous reports from Kaspersky Lab have documented similar activities by the Sidewinder group, indicating a continuity in their approach and the stability of their tools. Despite the age of the exploits used, the attacks remain effective due to the existence of vulnerable systems that have not been updated, providing opportunities for attackers to exploit.