More than 1,000 new attacks have been launched by the SideWinder APT group, also known as T-APT-04 or Rattlesnake, since April 2020, indicating the group's newfound aggression since it began operations a decade ago, The Hacker News
SideWinder's attacks have been substantial not only in their number or frequency but also in their persistence as the group leverages a massive arsenal of encrypted and obfuscated components, according to a report from Kaspersky, which also noted the group's expanding targets and its exploitation of the ongoing conflict between Russia and Ukraine
in phishing campaigns.
The report also revealed that SideWinder has been exploiting a remote code flaw in Microsoft Office's Equation Editor, tracked as CVE-2017-11882, for malicious payload deployment, with its three-stage infection chain beginning with the launching of an HTML Application payload prior to the deployment of a second-stage HTA component that then triggers a .NET-based installer with persistence and final backdoor loading duties. SideWinder has also been using at least 400 domains and subdomains in attacks since 2020.
"This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques," said Kaspersky's Noushin Shabab.