In a recent and sophisticated cyber-espionage campaign, the SideWinder Advanced Persistent Threat (APT) group has been targeting Indian entities by impersonating the Income Tax Department of India. This operation aims to deploy a stealthy Windows backdoor on victim machines, enabling attackers to exfiltrate sensitive data and maintain remote control over compromised systems.
Deceptive Tactics and Infection Chain
The attack initiates with a tax-themed phishing email that urges recipients to review an inspection document. The email contains a shortened URL (surl.li link) directing users to a counterfeit tax portal hosted at gfmqvip.vip, which closely mimics the legitimate Income Tax Department’s website. Upon visiting this fraudulent site, victims are prompted to download a file named Inspection.zip, stored on store10.gofile.io.
Inside the Inspection.zip archive are three critical components:
1. Inspection Document Review.exe: A signed Microsoft Defender binary, actually a renamed SenseCE.exe.
2. MpGear.dll: A malicious library designed for DLL side-loading.
3. DMRootCA.crt: A decoy certificate file.
When the user executes the Inspection Document Review.exe, it loads MpGear.dll from the same directory. This DLL side-loading technique allows the malicious code to run within a trusted process, thereby evading detection.
Advanced Evasion Techniques
Before establishing communication with the command-and-control (C2) server, MpGear.dll performs several checks to ensure it is operating within a genuine target environment:
– Geofencing: The malware queries timeapi.io and worldtimeapi.org to determine the system’s time zone. It proceeds only if the time zone corresponds to South Asian regions, such as UTC+5:30, effectively narrowing its focus to Indian targets.
– Anti-Analysis Measures: The malware introduces a delay of approximately three and a half minutes to evade quick scans. It also examines running processes to detect potential sandbox environments before downloading the next stage of the payload.
Payload Deployment and Persistence
In the final stage, MpGear.dll connects to the IP address 8.217.152.225 to retrieve a small loader named 1bin. This loader installs a persistent agent, mysetup.exe, in the C:\ directory and creates a configuration file, YTSysConfig.ini, which contains the C2 server address (180.178.56.230) and other operational parameters.
Implications and Recommendations
This campaign underscores the evolving sophistication of APT groups like SideWinder in crafting targeted attacks that exploit trust in official institutions. By masquerading as the Income Tax Department, the attackers increase the likelihood of successful infiltration into sensitive Indian systems.
To mitigate such threats, organizations and individuals should adopt the following measures:
– Email Vigilance: Exercise caution with unsolicited emails, especially those urging immediate action or containing links and attachments.
– Verify Sources: Always verify the authenticity of websites by checking URLs carefully and looking for signs of impersonation.
– Update Security Protocols: Ensure that all software, including antivirus programs, are up-to-date to detect and prevent the execution of malicious code.
– User Education: Conduct regular training sessions to educate users about phishing tactics and the importance of cybersecurity hygiene.
By implementing these strategies, entities can enhance their resilience against sophisticated cyber threats and protect sensitive information from unauthorized access.
