Skip Navigation
BlackBerry Blog

SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey

Summary

The BlackBerry Threat Research and Intelligence team has been actively tracking and monitoring the SideWinder APT group, which has led to the discovery of their latest campaign targeting Pakistan government organizations.

In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload.

Brief MITRE ATT&CK® Information

Tactic

Technique

Execution

T1204.002, T1059.007, T1203, T1047

Defense Evasion

T1480, T1221, T1027, T1140

Command and Control

T1105, T1071.001

Discovery

T1518.001


Weaponization and Technical Overview

Weapons

Obfuscated JavaScript, PE executable

Attack Vector

Weaponized document used for targeted attack

Network Infrastructure

DDNS

Targets

Pakistan Government organizations


Technical Analysis

Context

The SideWinder APT group, also known as Razor Tiger, Rattlesnake, and T-APT-04, has been actively targeting Pakistan government organizations since at least 2012.

One of the oldest nation-state threat actors, SideWinder is believed to originate from India. Active since at least 2012, the group has been observed targeting military, government, and business entities, with a particular focus on Pakistan, Afghanistan, China, and Nepal. SideWinder primarily makes use of email spear-phishing, document exploitation, and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants.  

Through our threat hunting efforts, the BlackBerry Threat Research and Intelligence team discovered a new malware campaign by the SideWinder group. This campaign utilized a server-side polymorphism technique. The use of this technique allows the threat actor to potentially bypass traditional signature-based antivirus (AV) detection to deliver the next stage payload.

Attack Vector

MD5

SHA256

666b2b178ce52e30be9e69de93cc60a9

cd09bf437f46210521ad5c21891414f236e29aa6869906820c7c9dc2b565d8be

File Name

GUIDELINES FOR JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).docx

File Size

12.81 KB (13115 bytes)

Created

2022-11-30 04:52:00 UTC

Author

Windows User

Last Modified

2022-11-30T05:44:00Z

Last Modified by

Windows User


What is Server-Side Polymorphism?

Server-side polymorphism is a technique used by threat actors and other distributors of malware to attempt to evade detection by antivirus scanners. Polymorphic (literally “many shapes”) malware is malicious code that alters its appearance through encryption and obfuscation, making sure that no two samples look the same. It is hard for traditional or legacy AV software based on signatures to catch this type of malware, because the transformation code is not visible for security analysis. Although futuristic-sounding, it’s actually an older technique that has been used by threat actors since the early 1990s.  

Campaign Analysis

The SideWinder APT group’s new campaign leveraging server-side polymorphism to deliver the next stage payload began in late November 2022. The malicious documents used in this campaign were created to target Pakistan government officials. The documents were designed to trick Pakistan officials by displaying convincing content relevant to their interests.

During the investigation, the BlackBerry Threat Research and Intelligence team analyzed the documents used by the threat group to identify various artefacts used in this campaign to potentially locate other files of interest. The first malicious lure we examined was a document titled “GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)”.

Figure 1: Malicious lure document targeting Pakistan officials
 

MD5

SHA256

3b853ae547346befe5f3d06290635cf6

bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f

File Name

PK_P_GAA_A1_Offerred.docx

File Size

36.35 KB (37220 bytes)

Created

2022-12-06 05:24:37 UTC

Author

Windows User

Last Modified

2022-12-06T05:24:37Z

Last Modified by

Windows User


Another malicious document that was used in early December 2022 was titled “PK_P_GAA_A1_Offerred.docx”. In this instance, the document was eight pages in length and pretended to be a letter of offer and acceptance “for the purchase of defense articles, defense services, or both.”

Figure 2: First malicious lure sent by the SideWinder APT group

Notably, none of the documents used an embedded malicious macro code to deliver the next stage payload; instead, the threat group exploited the CVE-2017-0199 vulnerability (remote template injection). 

The “GUIDELINES FOR JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).doc“ malicious lure template was instructed to reach out to the remote address of “hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf”. The “pnwc[.]bol-north[.]com” domain in this instance resolves to the IP address 5.230.73[.]106.

Figure 3: The URL for the next stage download

The “PK_P_GAA_A1_Offerred.docx” malicious lure template was instructed to reach out to the remote address of “hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf” to download the next stage. The “paknavy-gov-pk[.]downld[.]net” domain resolves to the IP address 185.205.187[.]234.

Figure 4: URL for next stage download

During the time when the malicious server was active, this threat group had set their servers in a way that if the user/victim enters part of the malicious URL into their browser, they will be redirected to the legitimate Pakistan Navy home page, which is hxxps[:]//www[.]paknavy[.]gov[.]pk. It is important to note that the malicious server is no longer active.

Figure 5: Legitimate Pakistan Navy website. The victim is redirected to this site from a malicious page.

In early March, we discovered a new document that was also spread through phishing emails. The peculiarity of this OLE document was that it contained the address of the connection to the malicious server, which was also configured to connect to victims from Turkey.

MD5

SHA256

b7e63b7247be18cdfb36c1f3200c1dba

8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad

File Name

Product.docx

File Size

579.69 KB (593604 bytes)

Created

2023-03-07 13:54:00 UTC

Author

user

Last Modified

2023-03-07T13:56:00Z

Last Modified by

user


Weaponization

The next stage payload “file.rtf”, a rich text document file, can only be downloaded by users in the Pakistani IP range. It is important to note that in both instances, only the name of the file “file.rtf” and the file type are the same; however, the contents, file size and the file hash are different. This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection).

If the user is not in the Pakistani IP range, the server returns an 8-byte RTF file (file.rtf) that contains a single string: {\rtf1 }. However, if the user is within the Pakistani IP range, the server then returns the RTF payload, which varies between 406KB – 414KB in size.

Figure 6: "file.rtf" malicious payload

Loader

Having listed the existing objects in the “file.rtf” file that was obtained from “paknavy-gov-pk[.]downld[.]net” domain, the “1.a” object was extracted for further analysis.

Figure 7: "1.a" object overview

During the malware execution chain, this object is saved under the “C:\Users\user\AppData\Local\Temp\1.a” location on the victim’s machine. The “1.a” file is an obfuscated JavaScript.

Figure 8: De-obfuscated strings

There are two things that stand out from our analysis – the base64 encoded data blob, and two URLs. The base64 data blob decodes to Win32 DLL(App.dll), and the two URLs are used for further communications with the threat actor.

Figure 9: URLs used for further communications with SideWinder

Agent

The previously mentioned base64 encoded data blob is a .NET compiled Win32 DLL called “App.dll”.

Hashes (md5, sha-256)

8934f22ed2d4390f2e6170e4cfdbd483

8b718a15f76768ba29849a5f4a6ca0ff1d9c8ba7bcdc9d89efc792fe20e9fdb5

ITW File Name

App.dll

Compilation Stamp

Fri Nov 16 02:26:21 2074

File Type/Signature

DLL

File Size

139339 (bytes)

Compiler Name/Version

Microsoft Visual C# / Basic .NET


To further avoid static signature-based detection, the “App.dll” file is obfuscated in the same way as the majority of other files and scripts uncovered in this campaign.

Figure 10: "App.dll" file

The “App.dll” file is launched by earlier stage JavaScript code. The JavaScript deserializes the .NET binary and passes a URL to the executable's “Work()” function. This function makes a request to the URL and attempts to decrypt and then execute the response. In other words, the .NET executable can retrieve the next stage code and execute it.

Network Infrastructure

SideWinder’s campaign command-and-control (C2) infrastructure is only live for short periods of time. Non-Pakistani IP responses from the systems hosting RTF files have been identical since at least January 2021, with an 8-byte file with {\rtf1 } as the content. Following the relationships in VirusTotal shows the distribution infrastructure and the longevity of similar campaigns. 28 domains have been seen in the wild hosting this empty RTF file, all with similar URLs used for hosting.

For these campaigns, SideWinder also uses predictable URL structures when hosting their malicious files:

  • First stage - */2/0/0/*/files-*/(hta|file.rtf)
  • Second stage - */3/1/1/*/files-*/

The longevity of these tactics, techniques, and procedures (TTPs) – nearly 2 years – gives us confidence that they can be utilized for the detection of future campaigns.

In mid-March 2023, we discovered a new configured server delivering the payload. This server was different in that it was configured so that a victim in Turkey could receive a second-stage payload. This shows that this threat actor is also now targeting organizations in Turkey.

Targets

The SideWinder group’s main target remains Pakistan government organizations. The campaign investigated by BlackBerry in early March 2023 identified Turkey as a new target.

Attribution

The SideWinder APT group’s primary targets are in Southeast Asia regions such as Pakistan and Sri Lanka; however, government institutions in Pakistan still remain their main target of interest.

Conclusions

This report discussed the SideWinder group’s targeted attack carried out in early December 2022. The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics; specifically, in Turkey’s support of Pakistan and the ensuing reaction from India.

The BlackBerry Threat Research and Intelligence team is actively monitoring this threat group’s tooling and malicious files. All the files and network artefacts we identified in this campaign have been listed in the Appendix below for the benefit of defenders and cybersecurity professionals. We hope this data will help provide protection and prevention measures going forward.
 

APPENDIX 1 – Indicators of Compromise (IoCs)

Indicator Type

Indicator

MD5

b7e63b7247be18cdfb36c1f3200c1dba

SHA256

8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad

MD5

5efddbdcf40ba01f1571140bad72dccb

SHA256

a45258389a3c0d4615f3414472c390a0aabe77315663398ebdea270b59b82a5c

MD5

3b853ae547346befe5f3d06290635cf6

SHA256

bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f

MD5

666b2b178ce52e30be9e69de93cc60a9

SHA256

cd09bf437f46210521ad5c21891414f236e29aa6869906820c7c9dc2b565d8be

MD5

ef00004a1ebc262ffe0fb89aa5524d42

SHA256

a3283520e04d7343ce9884948c5d23423499fa61cee332a006db73e2b98d08c3

MD5

6c7d24b90f3c6b4383bd7d08374a0c6f

SHA256

4db0a2d4d011f43952615ece8734ca4fc889e7ec958acd803a6c68b3e0f94eea

MD5

73750f08265bbe80c3f235318bcef6fe

SHA256

bc3c6f9d51e2bdb37e03b01e2949f72836ecee4230e2320c5dc33a83b55b062f

MD5

16341fcff1bc7388387fd17b4b3a7a50

 

cf1f4ec1d7db6cf1fe8e15687b348a279889689fa9c387de4a2c310c34336f9f

MD5

1c62441de076eb5a5b2e1f8146767777

SHA256

75079e408ca9517825ffac396680a2d2169d691be3f1adbbd797e05e665c6fde

MD5

dacdb33b6e9de4c1fe8591bb5a65c55c

SHA256

cde768a4cf95e58f0e98e2bcca0663fd2c1a36510f6010065b4f54169a92e207

MD5

709e6a64735432c25cafb89951cc149c

SHA256

a2a9fd1db7f1dc196fa8af0669ea72d1f8ae48bf4775108ee746e0f83c5a7498

URL

hxxps[:]//paknavy-gov-pkp[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf

URL

hxxps[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf

IP

185.205.187[.]234

IP

5.230.73[.]106

URL

https[:]//cstc-spares-vip-163.dowmload[.]net/14668/1/1228/2/0/0/0/m/files-403a1120/file[.]rtf

URL

https[:]//mtss.bol-south[.]org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file[.]rtf

URL

https[:]//paknavy-gov-pk[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf

URL

hxxts[:]//paknavy-gov-pk[.]downld[.]net/14578/1/6277/2/0/0/0/m/files-75dc2b1e/file[.]rtf

URL

hxxts[:]//pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file[.]rtf

URL

hxxts[:]//sl-navy[.]office-drive[.]live/45/1/334/2/0/0/0/m/files-fe9dade2/file[.]rtf

URL

hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5041/2/0/0/0/m/files-dd96433f/file[.]rtf

URL

https[:]//forecast[.]comsats-net[.]com/5760/1/5039/2/0/0/0/m/files-d7c7dda1/file[.]rtf

URL

hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5035/2/0/0/0/m/files-4a0480ae/file[.]rtf

URL

hxxts[:]//moma[.]comsats-net[.]com/5753/1/4375/2/0/0/0/m/files-8062311a/file[.]rtf

URL

hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5040/2/0/0/0/m/files-f3b20b30/file[.]rtf

URL

hxxts[:]//forecast[.]comsats-net[.]com/5760/1/5036/2/0/0/0/m/files-2ad09cbd/file[.]rtf

URL

hxxts[:]//moma[.]comsats-net[.]com/5753/1/4371/2/0/0/0/m/files-b62d382f/file[.]rtf

URL

hxxts[:]//srilanka-navy[.]lforvk[.]com/135/1/334/2/0/0/0/m/files-4fdaf6c7/file[.]rtf

URL

hxxts[:]//promotionlist[.]comsats-net[.]com/5756/1/8887/2/0/0/0/m/files-3d1dff0f/file[.]rtf

URL

hxxts[:]//dgms[.]paknavy-gov[.]com/5733/1/5051/2/0/0/0/m/files-73bdca4d/file[.]rtf

URL

hxxts[:]//mofadividion[.]ptcl-gov[.]com/5724/1/3268/2/0/0/0/m/files-11e30891/file[.]rtf

URL

hxxts[:]//ksew[.]kpt-gov[.]org/5663/1/3275/2/0/0/0/m/files-937950ad/file[.]rtf

URL

hxxts[:]//ministryofforeignaffairs-mofa-gov-pk[.]dytt88[.]org/14444/1/2454/2/0/0/0/m/files-9ba90b7f/file[.]rtf

URL

hxxt[:]//bdmil[.]alit[.]live/3398/1/50073/2/0/0/0/m/files-ac995f17/file[.]rtf

URL

hxxt[:]//navy-mil-bd[.]jmicc[.]xyz/5625/1/8145/2/0/0/0/m/files-b11074b7/file[.]rtf

URL

hxxts[:]//navy-mil-bd[.]jmicc[.]xyz/5625/1/8145/2/0/0/0/m/files-b11074b7/file[.]rtf

URL

hxxts[:]//paknavy[.]jmicc[.]xyz/5627/1/4367/2/0/0/0/m/files-9e0912cc/file[.]rtf

URL

hxxt[:]//bdmil[.]alit[.]live/3398/1/54346/2/0/0/0/m/files-491dc489/file[.]rtf

URL

hxxts[:]//paknavy[.]comsats[.]xyz/5552/1/5037/2/0/0/0/m/files-1b5c7556/file[.]rtf

URL

hxxts[:]//mofa-gov[.]interior-pk[.]org/14419/1/6/2/0/0/0/m/files-07b01f9b/file[.]rtf

URL

hxxt[:]//mofa-gov[.]interior-pk[.]org/14419/1/6/2/0/0/0/m/files-07b01f9b/file[.]rtf

URL

hxxts[:]//paknavy[.]paknavy[.]live/5516/1/4367/2/0/0/0/m/files-db71f6b3/file[.]rtf

URL

hxxts[:]//mofabn[.]ksewpk[.]com/5511/1/4993/2/0/0/0/m/files-18e5db65/file[.]rtf

URL

hxxt[:]//srilankanavy[.]ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file[.]rtf

URL

hxxts[:]//srilankanavy[.]ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file[.]rtf

URL

hxxt[:]//maritimepakistan[.]kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file[.]rtf

URL

hxxts[:]//maritimepakistan[.]kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file[.]rtf

URL

hxxt[:]//dgmp-paknavy[.]mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file[.]rtf

URL

hxxts[:]//dgmp-paknavy[.]mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file[.]rtf

URL

hxxt[:]//dgpr[.]paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file[.]rtf

URL

hxxts[:]//cabinet-gov-pk[.]ministry-pk[.]net/14300/1/1273/2/0/0/0/m/files-68ebf815/file[.]rtf

URL

hxxts[:]//dgpr[.]paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file[.]rtf

URL

hxxts[:]//careitservices[.]paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files-266ad911/file[.]rtf

URL

hxxts[:]//defencelk[.]cvix[.]live/3023/1/54082/2/0/0/0/m/files-0c31ed2d/file[.]rtf

URL

hxxt[:]//mohgovsg[.]bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files-1ddf5195/file[.]rtf

URL

hxxts[:]//mohgovsg[.]bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files-1ddf5195/file[.]rtf

URL

hxxts[:]//sppc[.]moma-pk[.]org/5281/1/4265/2/0/0/0/m/files-d2608a99/file[.]rtf

URL

hxxps[:]//mailrta.mfagov[.]org/3818/1/53382/2/0/0/0/m/files-c78a6966/file[.]rtf

URL

http[:]//mailnavybd.govpk[.]net/5845/1/12/2/0/0/0/m/files-ca78574e/file[.]rtf

URL

hxxts[:]//mailaplf[.]cvix[.]live/2968/1/50390/2/0/0/0/m/files-7630e91a/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5775/2/0/0/0/m/files-fca3cc50/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5780/2/0/0/0/m/files-20bba5af/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5795/2/0/0/0/m/files-c9dddc54/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5797/2/0/0/0/m/files-875e140b/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5771/2/0/0/0/m/files-5995311a/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5784/2/0/0/0/m/files-94153639/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5770/2/0/0/0/m/files-2d21c32e/file[.]rtf

URL

hxxt[:]//slpa[.]mod-gov[.]org/5946/1/5778/2/0/0/0/m/files-27d5c7d3/file[.]rtf

URL

hxxt[:]//mailnavymilbd[.]govpk[.]net/5848/1/13/2/0/0/0/m/files-57d837e4/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5792/2/0/0/0/m/files-da7756e4/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5776/2/0/0/0/m/files-175c56e7/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5783/2/0/0/0/m/files-a26663eb/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5780/2/0/0/0/m/files-20bba5af/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5785/2/0/0/0/m/files-76f11745/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5788/2/0/0/0/m/files-3acec3be/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5782/2/0/0/0/m/files-78d7e141/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5796/2/0/0/0/m/files-97e02960/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5795/2/0/0/0/m/files-c9dddc54/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5790/2/0/0/0/m/files-a3d0041a/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5773/2/0/0/0/m/files-5a31d681/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5799/2/0/0/0/m/files-03dd18bd/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5781/2/0/0/0/m/files-62caea91/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5804/2/0/0/0/m/files-c43dece3/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5794/2/0/0/0/m/files-60cb1621/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5775/2/0/0/0/m/files-fca3cc50/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5778/2/0/0/0/m/files-27d5c7d3/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5787/2/0/0/0/m/files-fb528413/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5786/2/0/0/0/m/files-5def1d52/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5798/2/0/0/0/m/files-c3178f3d/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5779/2/0/0/0/m/files-2f2e186d/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5789/2/0/0/0/m/files-8822f8ff/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5777/2/0/0/0/m/files-7f2e758b/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5791/2/0/0/0/m/files-bda6f896/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5769/2/0/0/0/m/files-2f6b9c9a/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5774/2/0/0/0/m/files-12eca223/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5772/2/0/0/0/m/files-84c4942a/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5771/2/0/0/0/m/files-5995311a/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5797/2/0/0/0/m/files-875e140b/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5784/2/0/0/0/m/files-94153639/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5770/2/0/0/0/m/files-2d21c32e/file[.]rtf

URL

hxxts[:]//slpa[.]mod-gov[.]org/5946/1/5793/2/0/0/0/m/files-f2d0617e/file[.]rtf

URL

hxxts[:]//mailrta[.]mfagov[.]org/3818/1/53382/2/0/0/0/m/files-c78a6966/file[.]rtf

URL

hxxt[:]//promotionlist[.]comsats-net[.]com/5756/1/8887/2/0/0/0/m/files-3d1dff0f/file[.]rtf

URL

hxxts[:]//mailnavymilbd[.]govpk[.]net/5848/1/13/2/0/0/0/m/files-57d837e4/file[.]rtf

URL

hxxt[:]//mailnavybd[.]govpk[.]net/5845/1/12/2/0/0/0/m/files-ca78574e/file[.]rtf

Domain

slpa.mod-gov[.]org

IP

62.113.255[.]80

Domain

mailrta.mfagov[.]org

IP

194.61.121[.]216

Domain

promotionlist.comsats-net[.]com

IP

5.255.104[.]32

Domain

mailnavybd.govpk[.]net

IP

5.255.112[.]194

Domain

mailnavymilbd.govpk[.]net


APPENDIX 2 – Applied Countermeasures

YARA Rules

Available upon request (see below).


Suricata Rules

Available upon request (see below).


Disclaimer: 
The private version of this report is available upon request. It includes but is not limited to the complete and contextual MITRE ATT&CK® mapping, MITRE D3FEND™ countermeasures, Attack Flow by MITRE, and other threat detection content for tooling, network traffic, complete IOCs list, and system behavior. Please email us at cti@blackberry.com for more information.
 

The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.