ElizaRAT is a type of malware that primarily targets Windows systems and functions as a RAT. It enables threat actors to gain unauthorized access to infected machines.
This malware is often distributed through phishing campaigns or malicious downloads.
CheckPoint researchers recently identified that APT36 hackers have been actively attacking high-profile users of Windows devices with ElizaRAT.
APT36 Group Attacking Windows Systems
APT36 (aka “Transparent Tribe”) is a Pakistan-based APT group that directs sophisticated “cyber-espionage campaigns” targeting “Indian government” and “military institutions” via Windows RAT dubbed “ElizaRAT.”
ElizaRAT was initially identified in 2023, and since then, it has evolved significantly by incorporating advanced features like:-
- Control Panel (.CPL) file execution
- Cloud-based C2 infrastructure (using Slack, channels, Google Drive, and VPS)
The technical architecture of the malware offers “.NET” framework implementation with “Costura for assembly embedding,” “SQLite database integration for local data storage,” and “IWSHshell for Windows shortcut creation.”
Besides this, the infection chain of ElizaRAT begins with “phishing emails” containing malicious “CPL” files distributed via “Google Storage links.”
Once executed, it establishes persistence by creating a “unique victim ID,” “setting up working directories in %appdata%,” and deploying secondary payloads like “ApoloStealer.”
The Checkpoint report states that this stealer component targets sensitive file types (“.doc,” “.pdf,” “.ppt,” “.xls”) and performs “systematic data exfiltration” via encrypted channels.
The malware employs sophisticated evasion techniques like:-
- Time zone verification checks for India Standard Time.
- Maintains reliability via various C2 communication methods.
- Ranging from Slack API calls to Google Cloud Storage service account authentication using X.509 certificates.
Each campaign variant illustrates increasingly sophisticated capabilities while maintaining the core objective of persistent data theft from targeted “Indian institutions.” ‘ConnectX’ is a USB-targeting malware component within the ElizaRAT ecosystem.
It employs “WMI” to continuously monitor system events every 2 seconds using the following query to detect USB drive insertions:-
- SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA ‘Win32_DiskDrive’
Moreover, it gathers files from “external drives” by collecting “device IDs” and “serial numbers” upon detection.
Then it stores the stolen data in a “ZIP archive” within the “%appdata%BaseFilteringEngine” working directory.
The attribution of the malware to “Transparent Tribe” is supported by consistent use of the identifier “Apolo Jones” across various components like the password “ApoloJones2024” for ZIP compression and function naming in “SlackFiles.dll payload.”
For C&C infrastructure along with the deployment of modular payloads like “ApolloStealer,” the malware offers integration with major cloud services (‘Google Drive,’ ‘Telegram,’ and ‘Slack’). This shows the evolving sophistication of the threat actor in “cyber espionage operations.”
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!