APT36 Customized Malware to Attack Indian Government Servers


APT36 is a highly sophisticated APT (Advanced Persistent Threat) group that is known for conducting targeted espionage in South Asia and is strongly linked to Pakistan.

While this APT group is known for targeting the following Indian sectors:-

  • Government
  • Defense
  • Education

Since 2013, this APT group has been active, and to conduct cyberespionage, it uses the following methods:-

Here below, we have mentioned the resources used by APT36:-

  • Custom-built remote administration tools targeting Windows
  • Lightweight Python-compiled cyber espionage tools serving specific purposes targeting Windows and Linux
  • Weaponized open-source C2 frameworks like Mythic
  • Trojanized installers of Indian government applications like KAVACH multi-factor authentication
  • Trojanized Android apps
  • Credential phishing sites targeting Indian government officials

Zscaler analysts dubbed the Windows backdoor used by APT36 ‘ElizaRAT,’ because of unique strings in observed C2 commands.

APT36 Employing Customized Malware

ElizaRAT, delivered as .NET binaries in password-protected Google Drive archives, deploys as a Control Panel applet, launching CplApplet() and Main() functions that lead to malicious operations in MainAsync().

Each infected machine gets a unique identifier by combining the processorID and UUID with a ‘.cookie’ extension, serving as both UUID and username.

APT36 Customized Malware
UUID and username (Source – Zscaler)

Here below, we have mentioned all the supported C2 commands:-

  • /dir
  • /upload
  • /getprocess
  • /run
  • /delete
  • /end
  • /online
  • /identity
  • /ping
  • /scr
  • /createdir

The bot generates a Windows shortcut (LNK) to ensure persistence in the Startup directory. It disguises itself as a ‘Text Editing APP for Windows,’ executing the Control Panel applet via rundll32.

The Program class’s dosome() method displays a distraction decoy PDF from the .NET binary’s resources, designed to mislead the user into thinking an error occurred.

Fake error
Fake error (Source – Zscaler)

APT36’s unique use of Linux desktop entry files in rare attacks is a first, with three undetected samples found since its inception in May 2023, used in a phishing scheme against the Indian government.

The cross-platform Linux payload, designed for Linux and WSL machines and lacking a complete C2 mechanism, suggests an initial test in its developmental phase by the threat actor.

APT36 Customized Malware
Content inside the decoy PDF file (Source – Zscaler)

The PDF mimics an Indian Defence Ministry document detailing a Saudi delegation’s discussion with Indian military medics.

Python-Based Cyber Espionage Utilities

APT36 uses Python-based ELF binaries for cyber espionage, targeting the Indian govt, Windows, and Linux systems. Here below, we have mentioned all the new Python-based cyber espionage utilities:-

Moreover, the ElizaRAT, distributed via harmful Google Drive links, allowed researchers to extract data about the Drive’s owner and linked email.

IOCs

APT36 Customized Malware
IOCs (Source – Zscaler)

Keep informed about the latest cybersecurity news by following us on Google News, Linkedin, Twitter, and Facebook.





Source link