A new campaign by the threat actor SideWinder has emerged, specifically targeting high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. The attackers employ spear-phishing emails with geofenced payloads, ensuring that malicious content reaches only specific countries. By exploiting ancient vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882), they deploy StealerBot, a malware for maintaining persistent access. Significant targets include various ministries and regulatory commissions across the three nations, following similar patterns seen in previous SideWinder attacks documented earlier this year.
One noteworthy tactic adopted by SideWinder is that the spear-phishing emails are coupled with geofenced payloads to ensure that only victims meeting the targeting criteria are served the malicious content. In the event the victim's IP address does not match, an empty RTF file is sent instead as a decoy.
These attacks leverage spear-phishing lures as a starting point to activate the infection process and deploy known malware referred to as StealerBot.
Collection
[
|
...
]