Executive Summary
Cybersecurity researchers at SecureList by Kaspersky have uncovered a sophisticated cyber espionage campaign by SideWinder, an Advanced Persistent Threat group targeting hospitality and consulting organizations, among others, across South and Southeast Asia, the Middle East, Europe, and Africa.
The group relies on spear-phishing emails containing malicious documents that exploit CVE-2017-11882, a dated but effective Microsoft Office vulnerability, to deploy StealerBot, a modular post-exploitation toolkit.
Community Impact
The retail and hospitality industries are increasingly being targeted as part of SideWinder’s expanded espionage operations, with evidence of attacks against hotels, real estate agencies, and consulting firms, among others. With the hospitality sector handling large amounts of personal and financial data, RH-ISAC Core Member Organizations should ingest the intelligence included in this report, the original SecureList report, linked above, and review and ingest the Indicators of Compromise, included below.
Analysis
SideWinder’s attack chains primarily rely on spear-phishing emails containing malicious DOCX documents that exploit CVE-2017-11882, an 8-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor. When executed, the malicious document triggers remote template injection, fetching an RTF file from an attacker-controlled server. This RTF exploit executes embedded shellcode, which downloads and runs JavaScript code using the mshtml.RunHTMLApplication function, which in turn, employs a .NET downloader named ModuleInstaller to ultimately launch StealerBot, an advanced cyberespionage tool designed for data exfiltration, system compromise, and the facilitation of further malicious activities.
Indicators of Compromise
SecureList has provided the following Indicators of Compromise. RH-ISAC Core Members are encouraged to ingest the following Indicators below at the earliest feasible opportunity:
Microsoft Office Documents:
e9726519487ba9e4e5589a8a5ec2f933
d36a67468d01c4cb789cd6794fb8bc70
313f9bbe6dac3edc09fe9ac081950673
bd8043127abe3f5cfa61bd2174f54c60
e0bce049c71bc81afe172cd30be4d2b7
872c2ddf6467b1220ee83dca0e118214
3d9961991e7ae6ad2bae09c475a1bce8
a694ccdb82b061c26c35f612d68ed1c2
f42ba43f7328cbc9ce85b2482809ff1c
Backdoor Loader:
0216ffc6fb679bdf4ea6ee7051213c1e
433480f7d8642076a8b3793948da5efe
Domains:
pmd-office[.]info
modpak[.]info
dirctt888[.]info
modpak-info[.]services
pmd-offc[.]info
dowmloade[.]org
dirctt888[.]com
portdedjibouti[.]live
mods[.]email
dowmload[.]co
downl0ad[.]org
d0wnlaod[.]com
d0wnlaod[.]org
dirctt88[.]info
directt88[.]com
file-dwnld[.]org
defencearmy[.]pro
document-viewer[.]info
aliyum[.]email
d0cumentview[.]info
debcon[.]live
document-viewer[.]live
documentviewer[.]info
ms-office[.]app
ms-office[.]pro
pncert[.]info
session-out[.]com
zeltech[.]live
ziptec[.]info
depo-govpk[.]com
crontec[.]site
mteron[.]info
mevron[.]tech
veorey[.]live
mod-kh[.]info
