Description
[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)
Techniques Used (TTPs)
- T1203 — Exploitation for Client Execution (execution)
- T1518.001 — Security Software Discovery (discovery)
- T1218.005 — Mshta (defense-evasion)
- T1598.003 — Spearphishing Link (reconnaissance)
- T1124 — System Time Discovery (discovery)
- T1566.002 — Spearphishing Link (initial-access)
- T1074.001 — Local Data Staging (collection)
- T1057 — Process Discovery (discovery)
- T1059.007 — JavaScript (execution)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1020 — Automated Exfiltration (exfiltration)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1071.001 — Web Protocols (command-and-control)
- T1559.002 — Dynamic Data Exchange (execution)
- T1083 — File and Directory Discovery (discovery)
- T1016 — System Network Configuration Discovery (discovery)
- T1598.002 — Spearphishing Attachment (reconnaissance)
- T1027.010 — Command Obfuscation (defense-evasion)
- T1059.001 — PowerShell (execution)
- T1518 — Software Discovery (discovery)
- T1059.005 — Visual Basic (execution)
- T1082 — System Information Discovery (discovery)
- T1119 — Automated Collection (collection)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1204.001 — Malicious Link (execution)
- T1204.002 — Malicious File (execution)
- T1033 — System Owner/User Discovery (discovery)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
Total TTPs: 30
Malware & Tools
Tools: Koadic