The website of the National Electric Power Regulatory Authority (NEPRA) in Pakistan has recently been compromised by the SideWinder APT, delivering the new WarHawk backdoor malware. Based on a report, the new WarHawk malware contains different malicious modules for Cobalt Strike attacks, has new TTPs, and has applied the Pakistan Standard Time zone to ensure campaign success.
Researchers suspect that the SideWinder APT, also known as Rattlesnake, Razor Tiger, and APT-C-17, is an Indian nation-backed group. However, separate findings last May showed that the previous indicators linking the group to India have since waned, causing a challenge to associate the group with a specific nation.
Since April 2020, the APT group has recorded executing over 1,000 attacks, indicating its aggression and advanced attack TTPs from their initial operations in 2012.
Security experts have identified the group using an AntiBot script to filter their victims’ client browser environment, including the IP address. Many experts believe that this activity is for the APT group to ensure that their target is located in Pakistan.
In September, the SideWinder APT was spotted deploying the WarHawk malware against NEPRA’s website.
The threat group initially used a weaponised ISO file on NEPRA’s official website, which would activate a kill chain leading to the WarHawk malware’s deployment. The ISO file also acted as a decoy to hide the malicious activity, which displayed a real advisory issued by Pakistan’s Cabinet Division on July 27, 2022.
Once deployed in a machine, the WarHawk malware will impersonate legitimate computer apps, like ASUS Update Setup and Realtek HD Audio Manager, to lure the victims into launching. Subsequently, the WarHawk malware will exfiltrate system metadata to the hackers’ remote server and continually receive more payloads from the URL.
The threat group’s campaign also deployed the second-stage payload ‘Cobalt Strike Loader’ using a command execution module. The payload validates the threat actors’ time zone to confirm that it is aligned with Pakistan’s Standard Time.
Experts warn, especially organisations in Pakistan, to be more cautious and apply enhanced security measures since they believe that the SideWinder APT will continuously evolve their TTPs and add more malware strains in their arsenal for future cyberespionage attacks.
