"Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique"

As part of a campaign that began in late November 2022, the Advanced Persistent Threat (APT) actor known as SideWinder has been using a backdoor in attacks against Pakistani government organizations. According to the BlackBerry Research and Intelligence Team, the SideWinder APT group used a server-based polymorphism method to deliver the next stage payload. Another campaign discovered by the company in March 2023 shows that Turkey has also become a priority for the threat actor. SideWinder has been on the radar since at least 2012, and it is primarily known to target Southeast Asian organizations in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka. The group is also tracked under the names APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It is believed to be an Indian state-sponsored group. In the past year, SideWinder has been linked to a cyberattack against the Pakistan Navy War College (PNWC) and an Android malware campaign that harvested sensitive information using rogue phone cleaner and Virtual Private Network (VPN) apps uploaded to the Google Play Store. What distinguishes this campaign is the threat actor's use of server-based polymorphism to circumvent traditional signature-based antivirus detection and spread additional payloads by responding with two variants of an intermediate RTF file. This article continues to discuss findings regarding SideWinder's attacks, techniques, and targets. 

THN reports "Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique"