One Thousand and One attacks : Tale of the venomous SideWinder |
Abstract
SideWinder threat actor also known as RattleSnake and T-APT-04, has been one of the most aggressive threat actors in the past couple of years. Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations. We have detected over a thousand attacks by this APT actor since April 2020. They also maintain a large infrastructure base with hundreds of domains and subdomains used as Download and Command and Control Servers. SideWinder has been active since at least 2012 and for several years, their main target profile included Police, Military, Maritime and the Naval forces of Central Asian countries. In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organizations, Aviation, IT industry and Legal firms. Some of their newly registered domains and spearphishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions. This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques. These techniques include multiple obfuscation routines, encryption with unique keys for each malicious file, multi-layer malwares, memory-resident malwares and splitting infrastructure strings into different malware components. This talk will give details of the SideWinder threat actor’s infection chain, toolset, obfuscation techniques, infrastructure analysis and their evolution over the past few years. The talk will also give an overview of the techniques and methods used in the investigation of high volume attacks that utilize large numbers of obfuscated malware samples and multi-stage infection chains. Speaker Bio: Noushin Shabab is a cybersecurity researcher based in Australia, specializing in reverse engineering and targeted attack investigations. She joined Kaspersky in 2016 as a senior security researcher in the Global Research & Analysis Team (GReAT). Her research focuses on the investigation of advanced cyber-criminal activities and targeted attacks with a particular focus on local threats in the Asia Pacific region. Prior to joining Kaspersky, Noushin worked as a senior malware analyst and security software developer focusing on rootkit analysis and detection techniques as well as APT attack investigations. Noushin is very active in the global cybersecurity community where she regularly presents at various security conferences and events and also delivers technical workshops. She is also a member of the Australian Women in Security Network (AWSN) which aims to connect, support, collaborate and inspire women in the Australian cybersecurity industry. |