SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk.
How it Works
WarHawk is able to disguise itself as legitimate well-known apps such as ASUS Update Setup or Realtek HD Audio Manager, that are already present in a multitude of Windows PCs. It lures unsuspecting victims into launching the app, which executes code that automatically starts an unauthorized data transfer of system metadata to a remote server.
The command execution also delivers a second-stage payload that is able to validate and confirm whether the device’s time matches Pakistan’s Standard Time (PST). If it is unable to verify and match the time, the process is terminated.
This attack was used to target several major Pakistani government entities such as SNGPL, NADRA, FIA, Customs, National Health Desk, and the Ministry of Foreign Affairs.
The shellcode then decrypts and loads Beacon, the default malware payload used by Cobalt Strike to establish a connection to its command-and-control server.
Per the cybersecurity company, the attack campaign’s connections to the SideWinder APT stem from the reuse of network infrastructure that has been identified as used by the group in prior espionage-focused activities against Pakistan.
Snitch.exe CS Loader: ec33c5e1773b510e323bea8f70dcddb0
OneDrive.exe CS Beacon: d0acccab52778b77c96346194e38b244
DDRA.exe CS Beacon: 40f86b56ab79e94893e4c6f1a0a099a1