A sophisticated Windows Remote Access Trojan (RAT) called ElizaRAT has been developed by the APT36 (also known as Transparent Tribe) which has been evolving since its discovery in 2023.
This Pakistani threat actor group, known for targeting Indian government agencies, diplomatic personnel, and military installations.
Not only that even it has now expanded its attack surface to include major platforms like “Windows,” “Linux,” and “Android” systems.
While this threat group, ElizaRAT several other names:-
.webp "ElizaRAT Leveraging Google, Telegram, and Slack Services For C2 Communication 1")
Besides this, security analysts at Reco discovered that ElizaRAT demonstrates several advanced capabilities:-
- Written in .NET with embedded .NET and assembly modules
- Execution through .CPL files for evasion
- Utilization of cloud services (Google, Telegram, Slack) for distribution and C2 communication
- Deployment of decoy documents or videos
- Use of IWSHshell for persistence
- SQLite for temporary file storage
- Unique victim ID generation and storage
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
Campaign Analysis
Slack Campaign
The Slack campaign utilizes a file called SlackAPI.dll for its core functionality:
- Uses Slack’s API for C2 communication
- Employs CPL files for malware delivery
- Checks for new instructions every 60 seconds
- Sends and receives messages through specific Slack channels
Circle Campaign
Launched in January 2024, the Circle campaign introduces new evasion techniques:
- Uses a dropper component for improved stealth
- Employs a VPS instead of cloud services
- Checks for Indian Standard Time zone
- Registers victim information in specific files
- Communicates with a dedicated server for data exfiltration
.webp "ElizaRAT Leveraging Google, Telegram, and Slack Services For C2 Communication 2")
Google Drive Campaign
This campaign leverages Google Cloud for C2 communication:
- Downloads payloads from multiple VPS
- Utilizes two main payloads: extensionhelper_64.dll and ConnectX.dll
- Renames payloads to mimic legitimate software (e.g., SpotifyAB.dll)
Infrastructure Analysis
Several IP addresses have been identified as part of ElizaRAT’s infrastructure:
- 84.247.135.235: Flagged as malicious by multiple vendors
- 143.110.179.176: Marked as malicious or suspicious
- 64.227.134.248: Associated with malicious DLLs
- 38.54.84.83: Linked to Circle.dll and reported for brute-force attempts
- 83.171.248.67: Flagged as malicious and hosts vulnerable services
ElizaRAT represents a significant evolution in APT36’s cyber espionage capabilities.
By leveraging popular cloud platforms and employing sophisticated evasion techniques, the malware poses a serious threat to its targets.
The modular approach and introduction of new payloads like ApolloStealer demonstrate APT36’s commitment to refining their tools for maximum effectiveness in data theft and espionage operations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar