The nation-state threat actor known as SideWinder has been ascribed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
The BlackBerry Research and Intelligence Team, which uncovered the activity, stated targets of the spear-phishing campaign include countries including Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is estimated to be associated with India. It has been operational since 2012, typically making use of spear-phishing as a channel to deliver malicious payloads that start the attack chains.
"SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity business claimed in a report published last week.
The current round of attacks employ lures linked to sexual harassment, employment termination, and wage reduction in order to negatively damage the receivers' emotional condition and fool them into opening booby-trapped Microsoft Word documents.
Once the decoy file is opened, it uses a known security hole (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk[.]com") to extract an RTF file.
The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that's responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.
It's presently not known what's transmitted by means of the JavaScript malware, although the eventual purpose is likely to be intelligence gathering based on earlier campaigns undertaken by SideWinder.
"The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions," BlackBerry warned. "The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future."