Zscaler recently reported on WarHawk, a new backdoor used by the Indian threat actor group SideWinder.
- WarHawk is a backdoor used by the SideWinder threat actor group.
- WarHawk contains four modules and is known to drop at least three different second-stage payloads.
- WarHawk checks the victim machine’s time zone to specifically target users in Pakistan.
What is WarHawk?
WarHawk is a new backdoor used by the SideWinder threat actor group. Zscaler found the backdoor in September 2022.
The threat actors use ISO files bundled with an LNK file and a decoy PDF. Zscaler researchers found the ISO file was hosted on the legitimate but apparently compromised Pakistan National Electric Power Regulatory Authority website. Ironically, the PDF bundled in the LNK was based on an advisory released by a Pakistani government organization warning about the use of masqueraded links by malicious actors in phishing campaigns.
The malicious binary is disguised as RtlAudioDriver.exe. It is executed by the LNK file and contains the WarHawk backdoor. WarHawk disguises itself as a legitimate application. WarHawk gathers system information, including the computer/NetBios name, the UserName, and the Windows Product Name. This information is arranged in JSON format and sent to the C2.
WarHawk includes four modules:
Download and Execute Module
The Download and Execute Module downloads and executes payloads retrieved from the C2.
Command Execution Module
The Command Execution Module executes system commands received from the C2 on the victim machine.
File Manager InfoExfil Module
The File Manager InfoExfil Module gathers and sends File Manager information to the C2.
The UploadFromC2 Module is only found in newer variants of WarHawk. This module allows the threat actors to upload files from the C2 to the victim machine.
WarHawk is capable of downloading and executing payloads received from the C2. Observed stage 2 payloads include the following:
Snitch.exe is a Cobalt Strike loader that uses KernelCallBackTable injection. The Cobalt Strike loader is retrieved using the Download and Execute Module. When executed, the loader performs anti-analysis checks, including anti-sandbox checks, as well as a time zone check. If the victim machine is not using the Pakistan Standard Time zone, the malware terminates.
DDRA.exe is a hybrid HTTP DNS beacon.
OneDrive.exe is another hybrid HTTP DNS beacon.
Zscaler attributed WarHawk to SideWinder based on evidence of the reuse of infrastructure. They determined the group is targeting entities in Pakistan based on the use of Pakistan’s National Electric Power Regulatory Authority website as infrastructure, the PDF lure subject, and the check for the Pakistan Standard Time zone.
Who is SideWinder?
SideWinder, also known as Rattlesnake or T-APT4, is an Indian threat actor group active since at least 2012. Industry researchers previously discovered the group is affiliated with an India-based company advertising malware analysis and penetration testing services. It is unclear whether the group is state-sponsored, although some industry researchers point to the possibility.
In the past two years, SideWinder has launched at least 1000 targeted attacks. The group engages in espionage activity and is known to target government, military and defense, scientific research, energy, mineral industries, and business entities in Asian and Middle Eastern countries, including Pakistan, Nepal, China, Afghanistan, Myanmar, Qatar, Sri Lanka, and Bangladesh. Major campaigns tend to focus on entities in Pakistan. SideWinder TTPs include but are not limited to spearphishing, malicious documents, use of memory-resident malware, Koadic post-exploitation framework, and DLL side loading.
PolySwarm has multiple samples of WarHawk.
You can use the following CLI command to search for all WarHawk samples in our portal:
$ polyswarm link list -f WarHawk
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports