Recently, the Rising threat intelligence platform captured an attack on Nepal**, and through comparative analysis, it was found that the attacker of this incident was the Sidewinder organization. The organization sent the fake phishing email of the prime minister's itinerary to the Nepalese ** agency to induce the target to click, so as to activate the remote control backdoor and achieve the purpose of stealing ** confidential information.
At present, the Rising Endpoint Threat Detection and Response System (EDR) can visually restore the attack event, and through the threat investigation function, users can trace and sort out the entire attack from any node and key elements, and understand each step of the process in an all-round way, so as to improve the ability to prevent cyber attacks.
According to Rising security experts, Sidewinder is a threat group that has been conducting cyberattacks since at least 2012, and is also known as Sidewinder, T-APT-04, RattleSnake and APT-C-17, which is one of the most active organizations today. The group is mainly engaged in information theft and espionage activities, and its targets are concentrated in China, Pakistan, Afghanistan, Ceylon, Myanmar and other countries, involving most of the industries, defense, medical and technology companies. According to Rising monitoring, the sidewinder organization had counterfeited *** and the Ministry of Commerce launched phishing attacks on domestic ** agencies, but it was unsuccessful.
In this incident, the attacker sent the fake "Nepal Prime Minister Pushpa Kamal Dahal's itinerary information" to Nepal** agencies through emails to deceive the trust of relevant personnel. Once you click on an email attachment, it launches a malicious macro** and releases the backdoor virus and script file. When the backdoor virus is launched by the script, it will communicate with the server through the HTTP protocol, receive instructions from the attacker, remotely control the victim's computer, and steal all confidential information and data.
The backdoor virus used by the attacker is written in the NIM language, which has the advantage of increasing the difficulty of analysis by security personnel and reducing the detection rate of security software, which is a new development language preferred by many attack organizations.
Rising security experts said that since the main attack targets of the Sidewinder organization include China, the first departments and key national industries should be vigilant and beware of the risk of confidential information and data theft caused by phishing emails and remote control backdoors.
1.Do not open suspicious files.
Do not open suspicious files and messages from unknown ** to prevent social engineering and phishing attacks.
2.Deploy EDR and NDR products.
Use threat intelligence to trace the trajectory of threat behavior, analyze threat behavior, locate the source and purpose of threat, trace the means and path of attack, solve network threats from the source, and discover the attacked nodes to the greatest extent, so as to respond and deal with them faster.
3.Install effective anti-virus software to block and kill malicious documents and programs.
Antivirus software can intercept malicious documents and malicious programs, if the user accidentally siphones off malicious files, antivirus software can intercept and kill, prevent viruses from running, and protect the user's terminal security.
4.Timely patching of system patches and patches for critical software.
Many malware often uses known system vulnerabilities and software vulnerabilities to spread, and timely patching will effectively reduce the impact of vulnerability attacks.