SideWinder Hacker Group Target Government & Military Using WarHawk Tool

Zscaler ThreatLabz discovered a up to date backdoor called ‘WarHawk’ being inclined by the SideWinder APT risk team to have entities in Pakistan.

The SideWinder team goes by the names Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17, with a historical previous of focused on executive, militia, and agencies real thru Asia, specifically Pakistan.

“The newly discovered WarHawk backdoor contains varied malicious modules that carry Cobalt Strike, incorporating contemporary TTPs equivalent to KernelCallBackTable injection and Pakistan Standard Time zone trace with a realizing to be obvious that a victorious marketing campaign,” Zscaler ThreatLabz stated.

The Working of WarHawk Backdoor

Experiences deliver the ‘WarHawk’ backdoor includes 4 modules equivalent to:

• Download & Develop Module
• Expose Execution Module
• File Supervisor InfoExfil Module
• UploadFromC2 Module

Researchers discovered that the ISO file hosted on the respectable web spot of Pakistan’s National Electric Vitality Regulatory Authority “nepra[.]org[.]pk” that can existing a compromise of their web server.

It disguises itself as a legit application to lure unsuspecting victims into execution. Also, WarHawk decrypts a procedure of API & DLL names the utilization of a String Decryption Routine which takes the Encrypted Hex Bytes as an input after which subtracts each byte with the Key: “0x42” with a realizing to decrypt the string.

WarHawk Backdoor disguises as legit applications

The bag & discontinue module is accountable for downloading and executing extra payloads from the remote URL equipped by the CnC server.

The present execution module is accountable for the execution of device instructions on the contaminated machine obtained from the Expose & Withhold a watch on. Therefore, the File Supervisor InfoExfil module gathers and sends the File Supervisor info by essentially sending all over a Module initiation ask to the CnC server.

In the UploadFromC2 module, it’s a ways a up to date characteristic added within the latest WarHawk Backdoor, allowing the risk actor to upload recordsdata on the contaminated machine from the Expose and Withhold a watch on Server.

SideWinder Community Infrastructure

Researchers deliver the following are the symptoms that assist out in determining that the promoting campaign is targeted at Pakistan, ISO recordsdata hosted on Pakistan’s National Electric Vitality Regulatory Authority web spot, risk actors launched by Pakistan’s Cabinet Division inclined as a lure, and the time zone take a look at for “Pakistan Standard Time” that makes certain that the malware is most effective executed underneath Pakistan Standard Time.

“The SideWinder APT Community is constantly evolving their tactics and adding contemporary malware to their arsenal with a realizing to discontinue a hit espionage attack campaigns in opposition to their targets,” concludes the file.