Quick take - APT36, also known as Transparent Tribe, is a cyber-espionage group believed to be based in Pakistan that primarily targets Indian government entities and military installations using advanced malware and various tactics for data theft and espionage.
Fast Facts
- APT36, or Transparent Tribe, is a Pakistan-based cyber-espionage group targeting Indian government, military, and diplomatic entities, employing diverse tactics for data theft.
- The group has advanced its methods, notably with the development of ElizaRAT, a sophisticated Windows Remote Access Trojan (RAT) discovered in 2023, capable of operating on multiple platforms and utilizing advanced evasion techniques.
- ElizaRAT communicates with its command-and-control infrastructure via a Telegram bot and employs tactics like credential harvesting, malware distribution, and the use of weaponized open-source frameworks.
- APT36 has launched subsequent malware variants, including ApoloStealer and the Circle campaign, which demonstrate a modular approach to malware deployment and enhanced evasion strategies.
- The group’s operations involve using cloud services for communication, deploying decoy documents, and employing multi-factor authentication bypass techniques to target Indian officials effectively.
APT36: Overview of the Cyber-Espionage Group
APT36, also known as Transparent Tribe, is a cyber-espionage group believed to have originated in Pakistan. This group primarily targets Indian government agencies, diplomatic personnel, and military installations. They employ a diverse range of tactics aimed at data theft and espionage, particularly in India and Afghanistan.
Recent Developments in APT36’s Operations
Recent research by Check Point has revealed significant advancements in APT36’s operational methods. A sophisticated Windows Remote Access Trojan (RAT) named ElizaRAT was first discovered in 2023. ElizaRAT has evolved to incorporate advanced evasion techniques and enhanced command-and-control (C2) capabilities. The malware is capable of operating across multiple platforms, including Windows, Linux, and Android.
APT36 utilizes a variety of tactics for cyber espionage, including credential harvesting and malware distribution. They deploy custom-built tools for remote administration, employing lightweight Python-compiled tools for both Windows and Linux systems. Additionally, they use weaponized open-source frameworks, such as Mythic, for more effective attacks. Trojanized installers of Indian government applications, including KAVACH, are used to deceive users into installing malicious software. Multi-factor authentication bypass techniques and credential phishing sites specifically target Indian officials, while Trojanized Android applications are used to extend their reach.
Characteristics and Campaigns of ElizaRAT
ElizaRAT is particularly notable for its use of a Telegram bot for initial communication with its command-and-control infrastructure. It executes attacks through CPL (C/C++ Programmable Language) files to avoid detection. Significant modifications were observed in the malware from late 2023 to early 2024, with three major campaigns highlighting its adaptability.
Key characteristics of ElizaRAT include its development in .NET and the use of embedded modules via Costura. It relies on cloud services like Google, Telegram, and Slack for distribution and C2 communication. The malware employs tactics such as deploying decoy documents to mislead victims and utilizes IWSHshell to establish persistent shortcuts on infected systems. Additionally, it generates a unique victim ID that is stored on the compromised machine for tracking purposes.
A specific campaign associated with ElizaRAT involves a malicious file named SlackAPI.dll, which is essential for the malware’s functionality and has been flagged as malicious by various security vendors. This file allows ElizaRAT to communicate with a designated Slack channel, facilitating operations such as sending, uploading, and downloading files. The malware communicates with multiple identified malicious IP addresses, underscoring its extensive network.
New Variants and Ongoing Threats
Following ElizaRAT, APT36 launched a new malware variant named ApoloStealer, compiled shortly after the original RAT. The Circle campaign, a variant of ElizaRAT, was developed in January 2024 and employs a more sophisticated approach to evade detection. This campaign utilizes a specific working directory and checks the victim’s time zone, registering victim information and retrieving the victim’s IP address from a designated URL. This further indicates a coordinated strategy with shared infrastructure and payloads.
The Google Drive campaign associated with APT36 employs Google Cloud for C2 communication and involves the download of payloads categorized as information stealers. Multiple IP addresses linked to APT36 activities have been flagged as malicious by various security vendors, demonstrating the group’s ongoing threat and their shift towards a more modular and flexible approach to malware deployment focused on data collection and theft.
Original Source: Read the Full Article Here
