SideWinder, also known as APT-C-17 or Rattlesnake, frequently targets Pakistan with harmful cyberattacks and is doing so again. With malware named WarHawk, the hackers have now attacked the main website of the National Electric Power Regulatory Authority (NEPRA).
Cybersecurity professionals discovered the breach at Zscaler ThreatLabz. Here’s what they had to say about WarHawk, which was particularly designed to strike Pakistan.
To guarantee a successful campaign, the newly found WarHawk backdoor incorporates multiple malicious modules that distribute Cobalt Strike, combining new TTP such as KernelCallBackTable injection and Pakistan Standard Time zone verification.
The Rattlesnake is thought to be an Indian government-backed hacking organization. However, prior Kaspersky reports have indicated that the information that led to the attribution has subsequently vanished, making it difficult to trace the hackers to India. However, it is also true that Indian hackers have repeatedly attacked Pakistani institutions in recent years, so this would be no surprise.
How Does It Work?
Zscaler detected Rattlesnake’s latest strike on Pakistan in September. Using a weaponized ISO file uploaded on NEPRA’s website to trigger a death chain that delivered the WarHawk virus. The artifact also served as a deception to conceal the assault by displaying a valid advisory provided by Pakistan’s Cabinet Division on July 27, 2022.
WarHawk may masquerade as legitimate, well-known software such as ASUS Update Setup or Realtek HD Audio Manager, already installed on many Windows PCs. It tricks unwitting users into launching the app, which executes malware that initiates an illegal data transfer of system metadata to a remote server.
The command execution also includes a second-stage payload capable of validating and confirming whether the device’s time corresponds to Pakistan Standard Time (PST). The procedure is ended if it cannot validate and match the time.
The attack involves considerably more technical aspects, but in a nutshell, it can steal important data from a computer behind the administrator’s back by appearing as innocent software.
This attack targeted numerous important Pakistani government agencies, including SNGPL, NADRA, FIA, Customs, the National Health Desk, and the Ministry of Foreign Affairs.
According to the researchers, to conduct effective espionage attack operations against its targets, the SideWinder APT Group is constantly upgrading its techniques and adding new malware to its arsenal.