SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan

Home/Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update/SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan

SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan

SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk.

How it Works

WarHawk is able to disguise itself as legitimate well-known apps such as ASUS Update Setup or Realtek HD Audio Manager, that are already present in a multitude of Windows PCs. It lures unsuspecting victims into launching the app, which executes code that automatically starts an unauthorized data transfer of system metadata to a remote server.

The command execution also delivers a second-stage payload that is able to validate and confirm whether the device’s time matches Pakistan’s Standard Time (PST). If it is unable to verify and match the time, the process is terminated.

This attack was used to target several major Pakistani government entities such as SNGPL, NADRA, FIA, Customs, National Health Desk, and the Ministry of Foreign Affairs.

The shellcode then decrypts and loads Beacon, the default malware payload used by Cobalt Strike to establish a connection to its command-and-control server.

Per the cybersecurity company, the attack campaign’s connections to the SideWinder APT stem from the reuse of network infrastructure that has been identified as used by the group in prior espionage-focused activities against Pakistan.

IoCs:

ISO:

32-Advisory-No-32.iso: d510808a743e6afc705fc648ca7f896a

URL: nepra[.]org[.]pk/css/32-Advisory-No-32[.]iso

33-Advisory-No-33-2022.pdf.iso: 63d6d8213d9cc070b2a3dfd3c5866564

WarHawk Backdoor:

WarHawk_v1: 8f9cf5c828cb02c83f8df52ccae03e2a
WarHawk_v1.1: 5cff6896e0505e8d6d98bff35d10c43a

CnC: 146[.]190[.]235[.]137/wh/glass[.]php

Cobalt Strike:

Snitch.exe CS Loader: ec33c5e1773b510e323bea8f70dcddb0

URL: 146[.]190[.]235[.]137/Snitch[.]exe

OneDrive.exe CS Beacon: d0acccab52778b77c96346194e38b244
URL: 146[.]190[.]235[.]137/OneDrive[.]exe

DDRA.exe CS Beacon: 40f86b56ab79e94893e4c6f1a0a099a1

URL: 146[.]190[.]235[.]137/DDRA[.]exe

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-10-25T06:44:09+05:30 October 25th, 2022|Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!