Rattling the cage of a Sidewinder

TLDR: Read on to see how we programmatically track Sidewinder with multiple vendors

In 2024, CISOs have prepared themselves for the metaphorical Bad Day – getting breached by a threat actor at some point in their tenure. Incident Response retainers are signed, notification plans are written, and the board is bracing for the unknown unknowns.

More than the fear of a single breach, what keeps security up is the nightmare of getting breached by the same group twice. Even on introductory calls this year, CISOs have come armed with specific PIRs – Priority Intelligence Requirements – when it comes to enhancing their ability to detect distinct threat actors. “What can you do to help me defend against Crouching Antfarm?”. Coming from the threat intelligence space, I can say that some specific groups may “matter” more to individual victims than broadly to TI vendors, which makes sense – it’s personal.

With that in mind, we’ve been developing a framework in our product (still in dev) for customers to monitor threat actors leveraging multiple community or paid sources. The concept is that users can create a tracking “case”, and inside the case are queries for different vendors that run daily. It may seem like a foreign concept if you aren’t in the muck, but analysts attuned to a small set of actors develop a strong “gut feeling” when looking at an unknown artifact. They can easily say “yep, that’s X”, or at a lower confidence say “yep, smells like X, but it’s definitely not legit, so let’s block it”.

This blog will focus on daily hunts we want to run to detect “new stuff” from Sidewinder, an active APT group. You can think of this as a cronjob for adversary tracking.

• Searching malware stores for an invocation of a specific word attribute
• Searching malware stores for a repeatable static artifact in a second stage
• Scanning the internet for domains and IPs with a specific HTML <title> or body with ssdeep/sha256
• Watching for new domains to appear on “convicted” name servers or IPs, either in an A record or cert

These indicators are not meant to deliver 100% perfect detections from either the False Positive end of the spectrum or the False Negative, but the volume should be low enough that a human can eyeball the results within a minute or two. The goal is to continually add more low volume/high fidelity searches for a particular group, and to quickly retire indicators that don’t deliver anymore. If you’d like to stay up to date on Sidewinder infra, many folks provide high-fidelity indicators gratis, and especially see Mikhail’s Maltrail tracker.

Recently, a customer was sent the below document, assessed to be from Sidewinder.

Figure 1: initial Sidewinder sample

The typical infection chain looks like the below. The goal of this is to discover new infrastructure elements that can be blocked before an attack happens, or at the very least to be able to quickly triage and recover from Sidewinder compromises. This of course, is only one chain of exploitation – there are others such as starting with an LNK or an IMG.

Figure 2: Sidewinder infection text-to-diagram courtesy d2lang.com

Description of detection ideas for each highlighted (number) above.

• As noted, the DOCX loads an externally hosted RTF file. RTF files are somewhat unusual in modern enterprises, but even more rare is to load external RTFs through a DOCX. In a first iteration of a signature, I may look for something as simple as the string ‘file.rtf" TargetMode=“External”/>’. Don’t overthink the “easy” detection wins, especially when there will be a human in the loop to manually eyeball hits.

Figure 3: highlighted portion we’re trying to match

2. If you’re interested in tracking Sidewinder, you likely have a few successful compromises lying around. For instance, 542fb0e314df639a7eef7ff077ddfd9574e70fb5ed5cbaf31c44d97f77e0c43c. Examining the RTF, we’ll create a few more loose signatures
   • A “blipuid” which corresponds to the system that generated an RTF. In our case, ef8cd5327c3cedb8a5ad8fb6b4706851. This will change for different operators, and as malware generation kits are updated. The point of this process is to create multiple avenues for detection, that can be iterated on as some fall off.
   • Detection of hex-encoded strings useful in the exploit, such as “GetCommandLineW”.
   • Detection of hex-encoded XOR 0x12 strings, such as ‘javascript:eval("v=ActiveXObject;’ → ‘xsdsaq`{bf(wds~:0d/Sqf{dwJ]pxwqf)’ →787364736171607B6266287764737E3A30642F5371667B64774A5D707877716629

Figure 4: Areas of the second stage RTF to be matched

3. Sidewinder has certain protections to prevent non-targeted entities from getting their next stage payload, such as IP and user-agent filtering. When a non-targeted user tries to fetch the payload, Sidewinder sends them a dummy 8 byte RTF represented by the below. Looking at infra that is serving this RTF is a good indicator for a potential bingo.

Figure 5: 8 byte decoy RTF

4. • 5. When the server is up, and one of the c2 components is not active, the server sends back a 404, but the NGINX response is fingerprint-able. The content appears the same as many other 404 pages, but has artifacts that are sig-able due to the spacing. Vendors, such as Silent Push https://www.silentpush.com/community-edition/ (API and Web) and Censys (Web) offer community offerings for individuals which are suitable to run small numbers of investigations.

Below, we’ll demonstrate the output from each signature step, and what the intended output is. Although the sig overlaps decrease as the infrastructure becomes more foreign, clear patterns still emerge.

A demo of infrastructure discovery in the product, based either on first-principles scanning, or by ingestion of paid of free structured intel feeds.

Figure 9: StrikeReady’s CARA F5-ing the way to victory

Figure 10: In addition to leveraging any paid service you may already be subscribing to

For an easier to parse list of indicators, please our GitHub page.You can read more about Sidewinder here. Lastly, If you are a vendor, and wish to provide a statement of suspected attribution, please drop us a note, and we’ll add it for posterity.

Figure 11: Other validated vendor names for this actor

Acknowledgements

The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, or would like to collaborate on research.

Appendix:

YARA sig from signature 3:

rule  SRPCont_RTFDocument_Javascript
                {
                     meta:
                         description  =  "Detects specific Javascript in RTF document"
                         author  =  "StrikeReady"
                     strings:
                         $a1  =  "function squareResettingSplit_format(str)"
                         $a2  =  "function xe3_ContentFUNC_ERROR_TEXT"
                         $b1  =  "var temp = chars.slice(i, i + l);"
                         $b2  =  "temp = temp.reverse();"
                         $a3  =  "function numbersWordNormalizeType(str, key"
                         $a4  =  "numbersWordNormalizeType(\"J[nj$7I\")"
                         $a5  =  "function VideoTagOptionsGivenWebP(str, key)"
                     condition:
                         any  of  ($a*)  or  all  of  ($b*) 
                }