Kaspersky Discovers Expansion of SideWinder APT Group and New Espionage Toolkit 'StealerBot' in Middle East and Africa

Kaspersky's Global Research and Analysis Team (GReAT) has identified a significant expansion in the cyber operations of the SideWinder Advanced Persistent Threat (APT) group, which is now actively targeting high-profile entities and critical infrastructures across the Middle East and Africa using a newly uncovered espionage toolkit named ‘StealerBot.’ This detection is part of Kaspersky's ongoing surveillance of APT activities, revealing recent campaigns aimed at strategic targets in various countries, including Turkiye, Morocco, and Djibouti. The group remains active and is likely to continue its attacks on other potential victims.

SideWinder, also known as T-APT-04 or RattleSnake, has established itself as one of the most prolific APT groups since its inception in 2012. Historically, the group has focused on military and government targets primarily in Pakistan, Sri Lanka, China, and Nepal. However, recent observations show a marked shift in their focus towards high-profile entities and strategic infrastructures in the Middle East and Africa.

In addition to geographical expansion, Kaspersky has identified the usage of ‘StealerBot,’ an advanced modular toolkit designed for espionage operations. This post-exploitation tool is the primary instrument employed by SideWinder in its recent attacks.

Giampaolo Dedola, lead security researcher at Kaspersky's GReAT, elaborates on StealerBot's functionality: “In essence, StealerBot is a stealthy espionage tool that allows threat actors to spy on systems while avoiding easy detection. It operates through a modular structure, with each component performing a specific function. Notably, these modules never appear as files on the system’s hard drive, making them difficult to trace. Instead, they are loaded directly into the memory. At the core of StealerBot is the ‘Orchestrator,’ which oversees the operation, communicates with the command-and-control server, and coordinates the execution of its various modules.”

Malicious Activities of StealerBot

Kaspersky's investigation has revealed that StealerBot is capable of executing a wide range of malicious activities, including:

Installing additional malware

Capturing screenshots

Logging keystrokes

Stealing passwords from web browsers

Intercepting Remote Desktop Protocol (RDP) credentials

Exfiltrating files and sensitive data

Attack Vectors and Tactics

Kaspersky first reported on the SideWinder group’s activities in 2018, noting that the group primarily utilizes spear-phishing emails as its infection vector. These emails often contain malicious documents that exploit vulnerabilities in Microsoft Office, as well as occasionally using LNK, HTML, and HTA files embedded in archives. The documents typically include information gathered from public websites, which serves to entice victims into believing the files are legitimate and worth opening. Kaspersky has also observed a mix of custom-developed and modified publicly available Remote Access Trojans (RATs) being deployed in parallel campaigns.

Recommendations for Mitigation

To combat the rising threat posed by APT groups like SideWinder, Kaspersky's experts recommend that organizations implement several security measures, including:

Equipping cybersecurity teams with the latest insights and technical details via resources like the Kaspersky Threat Intelligence Portal.

Utilizing robust endpoint solutions and advanced threat detection tools, such as Kaspersky Next and Kaspersky Anti-Targeted Attack Platform.

Conducting training sessions to educate employees on recognizing cybersecurity threats, particularly phishing attempts.

As cyber threats continue to evolve, maintaining a proactive approach to cybersecurity is critical in safeguarding sensitive information and infrastructure against advanced persistent threats.