{"id":163574,"date":"2023-05-09T08:22:39","date_gmt":"2023-05-09T13:22:39","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2023\/05\/researchers-uncover-sidewinders-latest-server-based-polymorphism-technique"},"modified":"2023-05-09T08:22:39","modified_gmt":"2023-05-09T13:22:39","slug":"researchers-uncover-sidewinders-latest-server-based-polymorphism-technique","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2023\/05\/researchers-uncover-sidewinders-latest-server-based-polymorphism-technique","title":{"rendered":"Researchers Uncover SideWinder\u2019s Latest Server-Based Polymorphism Technique"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/researchers-uncover-sidewinders-latest-server-based-polymorphism-technique.jpg\"><\/a><\/p>\n<p>Over the past year, SideWinder has been linked to a cyber <a href=\"https:\/\/zhuanlan.zhihu.com\/p\/593797356\" rel=\"noopener\" target=\"_blank\">attack aimed<\/a> at Pakistan Navy War College (PNWC) as well as an <a href=\"https:\/\/zhuanlan.zhihu.com\/p\/530163085\" rel=\"noopener\" target=\"_blank\">Android malware campaign<\/a> that leveraged rogue phone cleaner and VPN apps uploaded to the Google Play Store to <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/a\/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html\" rel=\"noopener\" target=\"_blank\">harvest sensitive information<\/a>.<\/p>\n<p>The latest infection chain documented by BlackBerry mirrors findings from Chinese cybersecurity firm QiAnXin in December 2022 detailing the use of PNWC lure documents to drop a lightweight. NET-based backdoor (App.dll) that\u2019s capable of retrieving and executing next-stage malware from a remote server.<\/p>\n<p>What makes the campaign also stand out is the threat actor\u2019s use of server-based polymorphism as a way to potentially sidestep traditional signature-based antivirus (AV) detection and distribute additional payloads by responding with two different versions of an intermediate RTF file.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the past year, SideWinder has been linked to a cyber attack aimed at Pakistan Navy War College (PNWC) as well as an Android malware campaign that leveraged rogue phone cleaner and VPN apps uploaded to the Google Play Store to harvest sensitive information. The latest infection chain documented by BlackBerry mirrors findings from Chinese [\u2026]<\/p>\n","protected":false},"author":662,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,1512],"tags":[],"class_list":["post-163574","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-mobile-phones"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/163574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/662"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=163574"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/163574\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=163574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=163574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=163574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}