CyberThreatIntel/Indian/APT/SideWinder/25-12-19/analysis.md

SideWinder same targets, same TTPs, time to counter-attack !

Table of Contents

• Malware analysis
• Threat Intelligence
• Cyber kill chain
• Indicators Of Compromise (IOC)
• Yara Rules
• References MITRE ATT&CK Matrix
• Knowledge Graph
• Links
  • Original Tweet
  • Link Anyrun
  • Ressources

Malware analysis

The initial vector

Threat Intelligence

Cyber kill chain

The process graph resume cyber kill chains used by the attacker :

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description

The IOC can be exported in JSON

References MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL
Execution	Execution through Module Load Exploitation for Client Execution	https://attack.mitre.org/techniques/T1129/ https://attack.mitre.org/techniques/T1203/
Persistence	Registry Run Keys / Startup Folder	https://attack.mitre.org/techniques/T1060/
Discovery	Query Registry	https://attack.mitre.org/techniques/T1012/

This can be exported as JSON format Export in JSON

Yara Rules

A list of YARA Rule is available here

Knowledge Graph

The following diagram shows the relationships of the techniques used by the groups and their corresponding malware:

Links

Original tweet:

• https://twitter.com/RedDrip7/status/1206898954383740929

Links Anyrun:

• Policy on Embedded Systems.doc
• adsfa.rtf
• out.rtf

Resources :

• The SideWinder campaign continue