The nation-state threat actor known as SideWinder has shifted its focus towards targeting ports and maritime facilities in the Mediterranean Sea and Indian Ocean. The new campaign employs spear-phishing tactics to infiltrate systems in countries such as Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

SideWinder, also known by aliases such as APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is believed to be affiliated with India. Active since 2012, the group frequently utilizes spear-phishing to deliver malicious payloads and initiate attack chains. Historically, SideWinder's campaigns have centered around espionage and intelligence gathering, a trend that appears to continue with this latest campaign.

The group employs a variety of sophisticated techniques to evade detection and deliver targeted implants, the BlackBerry Research and Intelligence Team said in a technical report. The threat actor’s primary method involves email spear-phishing, document exploitation, and DLL side-loading. Victims typically receive a malicious document with minimal detection on platforms like VirusTotal. Upon opening the document, the next stage of the attack is triggered.

The malicious documents are meticulously crafted to appear legitimate, often incorporating logos, company names, and themes familiar to the target. The documents are designed to resonate with the recipient's job location or field of work, using emotive phrases and highly charged subject matter to prompt immediate action. In the latest campaign, falsified “visual bait” documents were observed, purportedly associated with specific port infrastructure, such as the Port of Alexandria in the Mediterranean Sea and the Port Authority of the Red Sea.

The malicious documents exploit a critical Microsoft Office remote code execution flaw (CVE-2017-0199) to gain initial access to the target’s system. In phishing email attacks, the attacker sends this file to the user, convincing them to open it. The document contains a plain text URL linking to a malicious site controlled by the threat actor, from which the next stage file is downloaded.

Once the lure document is opened, it contacts the specified URL and downloads the next stage of the attack. This includes an RTF file exploiting another Microsoft Office vulnerability (CVE-2017-11882), which contains shellcode executed upon opening the file.

The shellcode’s primary function is to verify if the victim's system is real, avoiding virtual environments like VMs typically used by defenders. It checks the system’s processor type, continuing execution only if it detects an Intel or AMD processor. This strategy ensures the attack chain remains undetected by security operation center (SOC) teams.

If the system passes this check, a tiny JavaScript code is decrypted and executed, which subsequently loads the next execution step from a remote server, also in JavaScript.

“The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions. The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future, the researchers concluded. “At the time of publication, we haven’t yet observed any samples of the JavaScript delivered in the last stage of the attack. However, based on SideWinder's prior campaigns, we believe that the goal of this campaign is espionage and intelligence gathering.”