Threat Research

Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign

ZScaler
Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign

Zscaler Threat Hunting uncovered a targeted espionage campaign impersonating the Income Tax Department of India that uses URL shorteners and public file hosting to deliver a DLL side-loading implant linked to SideWinder activity. The campaign leverages signed Microsoft binaries (SenseCE.exe) to load a malicious MpGear.dll, performs timezone-based geofencing for India (UTC+5:30), and communicates with C2 servers to deploy a resident agent. #SideWinder #SenseCE

Keypoints

  • Attackers used phishing redirects (surl[.]li) to a fake Income Tax Department page (gfmqvip[.]vip) to prompt a download of Inspection[.]zip.
  • The delivered .zip contained a renamed legitimate Microsoft binary (Inspection Document Review.exe / SenseCE[.]exe) and a malicious MpGear[.]dll used for DLL side-loading.
  • Geofencing checks (timeapi[.]io, worldtimeapi[.]org) restricted execution to South Asian timezones (UTC+5:30), indicating precise targeting of India.
  • Staging and C2 involved public cloud hosting (store10[.]gofile[.]io) and IP-based servers (8[.]217[.]152[.]225 and 180[.]178[.]56[.]230) to download a shellcode loader and beacon a resident agent (mysetup[.]exe).
  • Malicious activity avoided detection by executing within a trusted signed process (SenseCE[.]exe) and performing in-memory execution and sandbox-evasion sleeps (~3.5 minutes).
  • Zscaler’s SSL/TLS inspection and cloud-scale telemetry enabled linking browser redirects, the downloaded archive, and subsequent C2 beaconing to attribute techniques consistent with SideWinder.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – Phishing redirect via shortened URL leading to a fake tax portal that prompts a download (‘surl[.]li/wuvdwi (Redirector).’ )
  • [T1204.001 ] User Execution: Malicious Link – Victim interaction with a web lure that results in downloading the Inspection[.]zip payload (‘Phishing Call To Action (CTA)’).
  • [T1027.013 ] Obfuscated Files or Information – Use of a compressed archive and renamed legitimate executable to hide malicious payload components (‘Inspection[.]zip contains a legitimate-looking executable Inspection Document Review[.]exe (renamed SenseCE[.]exe), a malicious MpGear[.]dll, and decoy certificates (DMRootCA[.]crt).’)
  • [T1102.002 ] Web Service (File Hosting) – Delivery and staging via public file sharing services to host payloads (‘store10[.]gofile[.]io (Public file sharing).’)
  • [T1036.005 ] Masquerading – Renaming and packaging of files to appear legitimate (renamed SenseCE[.]exe and decoy certificates) to deceive users and tools (‘Inspection Document Review[.]exe (renamed SenseCE[.]exe)’).
  • [T1574.002 ] DLL Side-Loading – Abuse of a signed Microsoft binary (SenseCE[.]exe) to load a malicious MpGear[.]dll from the same folder (‘This legitimate Microsoft binary automatically loads the malicious MpGear[.]dll from the same folder.’)
  • [T1497.003 ] Virtualization/Sandbox Evasion: Time-Based Evasion – Environment checks and sleep to evade sandbox analysis (‘The malware performs environment checks (Timezone via timeapi[.]io, Process enumeration) and sleeps for ~3.5 minutes to evade sandbox analysis.’)
  • [T1622 ] Reflective Code Loading – Use of in-memory or reflective loading techniques for resident implants as part of the payload execution chain (‘a reflectively loaded resident implant’).
  • [T1055 ] Process Injection – Techniques implied by execution within or alongside trusted processes to avoid detection (use of trusted Defender binary and in-memory execution behavior) (‘forcing legitimate applications to load malicious libraries … blinding traditional security products’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload retrieval over web protocols to download the shellcode loader and communicate with C2 (‘Connects to 8[.]217[.]152[.]225 to download a shellcode loader (/1bin).’ )
  • [T1132.001 ] Data Encoding – Use of encoded or non-standard payload delivery (shellcode loader /1bin and obfuscated payloads) during staging and delivery (‘1bin Shellcode Loader Download Activity’).
  • [T1614.001 ] Command and Control – Beaconing to final C2 servers and use of protocol mimicry to blend with legitimate tool traffic (‘The agent beacons to 180[.]178[.]56[.]230 (mimicking the protocol of the Chinese “Anqi Shen” endpoint tool).’)

Indicators of Compromise

  • [Domain ] Initial lure and redirectors – gfmqvip[.]vip (fake Income Tax Department portal), surl[.]li (URL shortener used for redirects).
  • [URL ] Phishing redirect and payload download – surl[.]li/wuvdwi (redirector), store10[.]gofile[.]io/download/direct/…/inspection[.]zip (direct payload download).
  • [File name ] Delivered and dropped artifacts – Inspection[.]zip (initial access archive), MpGear[.]dll (malicious hijacked DLL); and other payloads like mysetup[.]exe.
  • [IP Address ] Staging and C2 infrastructure – 8[.]217[.]152[.]225 (staging C2 used to download /1bin), 180[.]178[.]56[.]230 (final C2 server).
  • [File Hash ] Sample artifact hashes – b5bd49b6eef60ff85892ef7c8015b01 (Inspection[.]zip), 7f397f286905114b94da3ec9052cb89d (MpGear[.]dll); and other hashes such as 537abad75fc343690119851610d9b54b for 1bin.
  • [Configuration / Filename ] Persistence/config artifacts – YTSysConfig[.]ini or YTSTATUS[.]ini (C2 instruction/config file created on disk), C:installmysetup[.]exe (dropped resident agent).
  • [User Agent ] Unique request identifiers used in geofencing/beacons – TimeClient/1.0, work/1.0 (unique user agent strings during timezone checks and beaconing).

Read more: https://www.zscaler.com/blogs/security-research/zscaler-threat-hunting-catches-evasive-sidewinder-apt-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint