SideWinder APT Hackers Target Indian Entities with Sophisticated Income Tax Scams
Advanced persistent threat (APT) group SideWinder has launched a new phishing campaign targeting Indian entities, masquerading as the Income Tax Department of India. The sophisticated attack aims to deploy a stealthy Windows backdoor, enabling the attackers to steal sensitive files, capture data, and gain remote control over infected systems. This campaign highlights the evolving tactics of cybercriminals to exploit trust and urgency in their malicious operations.
The malicious campaign begins with a seemingly legitimate tax-themed email designed to prompt recipients into reviewing an inspection document. These urgent messages contain a surl.li short link that redirects victims to a fake tax portal. This fraudulent website meticulously mimics the official Income Tax Department of India’s online presence, tricking unsuspecting users into downloading a file named “Inspection.zip.” Cybersecurity analysts at Zscaler identified this attack chain while monitoring unusual surl.li traffic within large Indian networks, observing users navigate from the shortened link to the deceptive portal, download the malicious archive, and subsequently establish connections to known SideWinder command and control servers.
Technical Breakdown of the Attack Chain
The downloaded “Inspection.zip” archive is the gateway to the attackers’ malicious payload. Upon extraction, it reveals three critical components: a legitimate-looking Microsoft Defender binary, renamed as “Inspection Document Review.exe” but actually functioning as “SenseCE.exe”; a malicious dynamic-link library (DLL) named “MpGear.dll”; and a decoy certificate file, “DMRootCA.crt.” When a victim launches the “review” program, the Windows operating system, through a common DLL side-loading technique, loads the malicious “MpGear.dll” from the same directory. This allows the attacker’s code to execute within the context of a trusted process, evading initial detection.
Rigorous Checks and Advanced Evasion Tactics
Before initiating contact with its command and control servers, the “MpGear.dll” performs several checks to ensure it is operating on a real target and not within a security sandbox environment. According to Zscaler analysts, the malware queries external time services like timeapi.io and worldtimeapi.org to ascertain the victim’s timezone. The attack proceeds only if the detected timezone aligns with South Asian regions, such as UTC+5:30, indicating a geofencing strategy to target specific geographic locations.
Furthermore, the malware incorporates a delay mechanism, pausing for approximately three and a half minutes before proceeding. This deliberate pause is designed to circumvent rapid scanning by security software. It also analyzes running processes on the victim’s machine, gathering intelligence before downloading the next stage of the payload from the internet. This methodical approach ensures the integrity of the infection and increases the chances of long-term persistence.
In the final stage of the infection process, “MpGear.dll” establishes communication with a specific IP address, 8.217.152.225. From this server, it retrieves a compact loader component, identified as “1bin.” Following this, the malware installs a persistent agent named “mysetup.exe” into the root C: drive and creates a configuration file, such as “YTSysConfig.ini.” This control file stores critical information, including the IP address of the command server (180.178.56.230) and various operational flags, enabling continuous communication and control by the SideWinder APT group. The use of legitimate-looking file names and the infiltration of trusted processes are hallmarks of advanced persistent threats, making detection and removal challenging.
The implications of this attack are significant for Indian businesses and government entities, given the targeting of the Income Tax Department. Successful compromise could lead to the exfiltration of sensitive financial data, disruption of operations, and potential for further downstream attacks. Monitoring network traffic for anomalous connections to suspicious IPs and educating employees about phishing tactics remain crucial defensive measures. The continued evolution of SideWinder’s methods suggests an ongoing and persistent threat to the Indian digital landscape, requiring vigilance and robust cybersecurity protocols. Future monitoring will focus on the specific data being exfiltrated and the potential expansion of SideWinder’s targeting within India.