The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SideWinder WarHawk Backdoor

Oct 31, 2022 1:16:52 PM / by PolySwarm Tech Team

warhawk_Twitter

Executive Summary

Zscaler recently reported on WarHawk, a new backdoor used by the Indian threat actor group SideWinder.

Key Takeaways

  • WarHawk is a backdoor used by the SideWinder threat actor group.
  • WarHawk contains four modules and is known to drop at least three different second-stage payloads.
  • WarHawk checks the victim machine’s time zone to specifically target users in Pakistan.

What is WarHawk?

WarHawk is a new backdoor used by the SideWinder threat actor group. Zscaler found the backdoor in September 2022.

The threat actors use ISO files bundled with an LNK file and a decoy PDF. Zscaler researchers found the ISO file was hosted on the legitimate but apparently compromised Pakistan National Electric Power Regulatory Authority website. Ironically, the PDF bundled in the LNK was based on an advisory released by a Pakistani government organization warning about the use of masqueraded links by malicious actors in phishing campaigns.

The malicious binary is disguised as RtlAudioDriver.exe. It is executed by the LNK file and contains the WarHawk backdoor. WarHawk disguises itself as a legitimate application. WarHawk gathers system information, including the computer/NetBios name, the UserName, and the Windows Product Name. This information is arranged in JSON format and sent to the C2.

WarHawk includes four modules:

Download and Execute Module
The Download and Execute Module downloads and executes payloads retrieved from the C2.

Command Execution Module
The Command Execution Module executes system commands received from the C2 on the victim machine.

File Manager InfoExfil Module
The File Manager InfoExfil Module gathers and sends File Manager information to the C2.

UploadFromC2 Module
The UploadFromC2 Module is only found in newer variants of WarHawk. This module allows the threat actors to upload files from the C2 to the victim machine.

WarHawk is capable of downloading and executing payloads received from the C2. Observed stage 2 payloads include the following:

Snitch.exe
Snitch.exe is a Cobalt Strike loader that uses KernelCallBackTable injection. The Cobalt Strike loader is retrieved using the Download and Execute Module. When executed, the loader performs anti-analysis checks, including anti-sandbox checks, as well as a time zone check. If the victim machine is not using the Pakistan Standard Time zone, the malware terminates.

DDRA.exe
DDRA.exe is a hybrid HTTP DNS beacon.

OneDrive.exe
OneDrive.exe is another hybrid HTTP DNS beacon.

Zscaler attributed WarHawk to SideWinder based on evidence of the reuse of infrastructure. They determined the group is targeting entities in Pakistan based on the use of Pakistan’s National Electric Power Regulatory Authority website as infrastructure, the PDF lure subject, and the check for the Pakistan Standard Time zone.

Who is SideWinder?

SideWinder, also known as Rattlesnake or T-APT4, is an Indian threat actor group active since at least 2012. Industry researchers previously discovered the group is affiliated with an India-based company advertising malware analysis and penetration testing services. It is unclear whether the group is state-sponsored, although some industry researchers point to the possibility.

In the past two years, SideWinder has launched at least 1000 targeted attacks. The group engages in espionage activity and is known to target government, military and defense, scientific research, energy, mineral industries, and business entities in Asian and Middle Eastern countries, including Pakistan, Nepal, China, Afghanistan, Myanmar, Qatar, Sri Lanka, and Bangladesh. Major campaigns tend to focus on entities in Pakistan. SideWinder TTPs include but are not limited to spearphishing, malicious documents, use of memory-resident malware, Koadic post-exploitation framework, and DLL side loading.

IOCs

PolySwarm has multiple samples of WarHawk.

537ae7b28196cba2527a3da539b5594777dfac97620a30085b271130a71c4973  

58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a  

624c6b56ee3865f4a5792ad1946a8e86b876440a5af3bac22ac1dee92f1b7372  

65d93c4fa21b67a21dbc03c29b24f5e663f341ec209a528a74e586414a1f2cec  

7d3574c62df44b74337fc74ec7877792b4ffa1486a49bb19668433c3ca8836b5  

b35c3e6c870e87bef502f7bbd55a1cd197523f044811c48492ec2db2ddb3d369  

f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc


You can use the following CLI command to search for all WarHawk samples in our portal:

$ polyswarm link list -f WarHawk

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, India, Pakistan, Backdoor, Sidewinder, WarHawk

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More