SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities

The threat actor known as SideWinder has added a new custom tool
to its arsenal of malware that’s being used in phishing attacks
against Pakistani public and private sector entities.

“Phishing links in emails or posts that mimic legitimate
notifications and services of government agencies and organizations
in Pakistan are primary attack vectors of the gang,”
Singapore-headquartered cybersecurity company Group-IB said^[1]
in a Wednesday report.

SideWinder, also tracked under the monikers Hardcore
Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been
active since at least 2012 with a primary focus on Pakistan and
other Central Asian countries like Afghanistan, Bangladesh, Nepal,
Singapore, and Sri Lanka.

Last month, Kaspersky attributed^[2]
to this group over 1,000 cyber attacks that took place in the past
two years, while calling out its persistence and sophisticated
obfuscation techniques.

The threat actor’s modus operandi involves the use of
spear-phishing emails to distribute malicious ZIP archives
containing RTF or LNK files, which download an HTML Application
(HTA) payload from a remote server.

This is achieved by embedding fraudulent links that are designed
to mimic legitimate notifications and services of government
agencies and organizations in Pakistan, with the group also setting
up lookalike websites posing as government websites to harvest user
credentials.

The custom tool identified by Group-IB, dubbed
SideWinder.AntiBot.Script, acts as a traffic direction system
diverting Pakistani users clicking on the phishing links to rogue
domains.

Should a user whose client’s IP address differs from Pakistan’s
tap on the link, the AntiBot script redirects to an authentic
document located on a legitimate server, indicating an attempt to
geofence its targets.

“The script checks the client browser environment and, based on
several parameters, decides whether to issue a malicious file or
redirect to a legitimate resource,” the researchers said.

Of special mention is a phishing link that downloads a VPN
application called Secure VPN (“com.securedata.vpn”) from the
official Google Play store in an attempt to impersonate the
legitimate Secure VPN app (“com.securevpn.securevpn”).

While the exact purpose of the fake VPN app remains unclear,
this is not the first time SideWinder has sneaked past Google Play
Store protections to publish rogue apps under the pretext of
utility software.

In January 2020, Trend Micro detailed^[3]
three malicious apps that were disguised as photography and file
manager tools that leveraged a security flaw in Android (CVE-2019-2215^[4]) to gain root privileges
as well as abuse accessibility service permissions to harvest
sensitive information.