Server-based polymorphism leveraged in new SideWinder APT attacks

Suspected Indian state-backed advanced persistent threat operation SideWinder also known as APT-C-17, T-APT-4, APT-Q-39, Rattlesnake, Hardcore Nationalist, and Razor Tiger has been utilizing server-based polymorphism to facilitate next-stage backdoor delivery in a cyberattack campaign that initially targeted Pakistan government entities in late November before setting sights on Turkey beginning in March, reports The Hacker News. Attacks by SideWinder involved the use of Pakistan Navy War College lure documents that leverage remote template injection to facilitate the retrieval of an RTF file that would only have the malicious code if requested by a user with an IP address in Pakistan, according to a BlackBerry report. Such use of two RTF file versions shows the use of server-based polymorphism aimed at evading detection from antivirus systems. "The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics; specifically, in Turkey's support of Pakistan and the ensuing reaction from India," said BlackBerry researchers.