SYMBOLCOMMON_NAMEaka. SYNONYMS

RAZOR TIGER  (Back to overview)

aka: SideWinder, Rattlesnake, APT-C-17, T-APT-04

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.


Associated Families
apk.sidewinder win.sidewinder win.unidentified_093

References
2023-05-17Group-IBNikita Rostovtsev, Joshua Penny, Yashraj Solanki
@online{rostovtsev:20230517:distinctive:c4bc5d4, author = {Nikita Rostovtsev and Joshua Penny and Yashraj Solanki}, title = {{The distinctive rattle of APT SideWinder}}, date = {2023-05-17}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/hunting-sidewinder/}, language = {English}, urldate = {2023-05-17} } The distinctive rattle of APT SideWinder
SideWinder
2022-07-20QianxinRed Raindrops Team
@online{team:20220720:sidewinder:8d70604, author = {Red Raindrops Team}, title = {{The Sidewinder (APT-Q-39) uses Google Play to spread an analysis of malicious Android software}}, date = {2022-07-20}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/}, language = {Chinese}, urldate = {2022-08-02} } The Sidewinder (APT-Q-39) uses Google Play to spread an analysis of malicious Android software
SideWinder
2022-07-13Check PointCheck Point Research
@online{research:20220713:hit:79199ac, author = {Check Point Research}, title = {{A Hit is made: Suspected India-based Sidewinder APT successfully cyber attacks Pakistan military focused targets}}, date = {2022-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/}, language = {English}, urldate = {2022-07-15} } A Hit is made: Suspected India-based Sidewinder APT successfully cyber attacks Pakistan military focused targets
Unidentified 093 (Sidewinder)
2022-06-08Qianxin Threat Intelligence CenterRed Raindrop Team
@online{team:20220608:operation:3fe580d, author = {Red Raindrop Team}, title = {{Operation Tejas: A dying elephant curled up in the Kunlun Mountains}}, date = {2022-06-08}, organization = {Qianxin Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg}, language = {English}, urldate = {2022-06-09} } Operation Tejas: A dying elephant curled up in the Kunlun Mountains
HAZY TIGER RAZOR TIGER
2022-04-14Medium (@DCSO_CyTec)DCSO CyTec
@online{cytec:20220414:404:a7dc53d, author = {DCSO CyTec}, title = {{404 — File still found}}, date = {2022-04-14}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c}, language = {English}, urldate = {2022-05-31} } 404 — File still found
SideWinder
2021-03-04MalpediaMalpedia
@online{malpedia:20210304:malpedia:b8ffad2, author = {Malpedia}, title = {{Malpedia Page for family Sidewinder}}, date = {2021-03-04}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder}, language = {English}, urldate = {2021-03-12} } Malpedia Page for family Sidewinder
SideWinder
2021-01-13AlienVaultTom Hegel
@techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2020-12-09Trend MicroJoseph C Chen, Jaromír Hořejší, Ecular Xu
@online{chen:20201209:sidewinder:a454abd, author = {Joseph C Chen and Jaromír Hořejší and Ecular Xu}, title = {{SideWinder Leverages South Asian Territorial Issues for Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html}, language = {English}, urldate = {2020-12-10} } SideWinder Leverages South Asian Territorial Issues for Spear Phishing and Mobile Device Attacks
Meterpreter SideWinder RAZOR TIGER
2020-12-09AlienVault OTXAlienVault
@online{alienvault:20201209:sidewinder:65e0781, author = {AlienVault}, title = {{SideWinder APT South Asian Territorial Themed Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/}, language = {English}, urldate = {2021-03-12} } SideWinder APT South Asian Territorial Themed Spear Phishing and Mobile Device Attacks
SideWinder RAZOR TIGER
2020-10-26QianxinThreat Intelligence Center
@online{center:20201026:analysis:81bfa52, author = {Threat Intelligence Center}, title = {{Analysis of the attack activities of the Rattlesnake organization using the Buffy bilateral agreement as bait}}, date = {2020-10-26}, organization = {Qianxin}, url = {https://www.secrss.com/articles/26507}, language = {Chinese}, urldate = {2020-10-27} } Analysis of the attack activities of the Rattlesnake organization using the Buffy bilateral agreement as bait
SideWinder
2020-05-28QianxinThreat Intelligence Center
@online{center:20200528:analysis:5b197d4, author = {Threat Intelligence Center}, title = {{Analysis of recent rattlesnake APT attacks against surrounding countries and regions}}, date = {2020-05-28}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/}, language = {Chinese}, urldate = {2020-10-27} } Analysis of recent rattlesnake APT attacks against surrounding countries and regions
SideWinder
2020-01-06Trend MicroEcular Xu, Joseph C Chen
@online{xu:20200106:first:bb9628c, author = {Ecular Xu and Joseph C Chen}, title = {{First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group}}, date = {2020-01-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/}, language = {English}, urldate = {2020-01-13} } First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
RAZOR TIGER
2019-02-26TencentTencent Yujian Threat Intelligence Center
@online{center:20190226:disclosure:d46aaed, author = {Tencent Yujian Threat Intelligence Center}, title = {{Disclosure of SideWinder APT's attack against South Asia}}, date = {2019-02-26}, organization = {Tencent}, url = {https://s.tencent.com/research/report/659.html}, language = {Chinese}, urldate = {2021-03-04} } Disclosure of SideWinder APT's attack against South Asia
SideWinder RAZOR TIGER
2018-07-16Medium SebdravenSébastien Larinier
@online{larinier:20180716:sidewinder:cb05fe4, author = {Sébastien Larinier}, title = {{APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading}}, date = {2018-07-16}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c}, language = {English}, urldate = {2020-01-13} } APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading
SideWinder RAZOR TIGER
2018-05-23TencentTencent Mimi Threat Intelligence Center
@online{center:20180523:sidewinderapttapt04:2f4c2cc, author = {Tencent Mimi Threat Intelligence Center}, title = {{SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁}}, date = {2018-05-23}, organization = {Tencent}, url = {https://s.tencent.com/research/report/479.html}, language = {Chinese}, urldate = {2020-01-06} } SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁
SideWinder RAZOR TIGER
2018-04-12Kaspersky LabsGReAT
@online{great:20180412:trends:babf7f6, author = {GReAT}, title = {{APT Trends report Q1 2018}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2018/85280/}, language = {English}, urldate = {2020-01-08} } APT Trends report Q1 2018
RAZOR TIGER
2014-08-08FireEyeFireEye
@techreport{fireeye:20140808:sidewinder:ddc16cd, author = {FireEye}, title = {{Sidewinder Targeted Attack Against Android in the Golden Age of AD Libraries}}, date = {2014-08-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf}, language = {English}, urldate = {2021-03-04} } Sidewinder Targeted Attack Against Android in the Golden Age of AD Libraries
RAZOR TIGER

Credits: MISP Project