Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Zscaler ThreatLabZ analyzes the updated APT36 arsenal, noting new attack vectors, cyber espionage utilities for Linux and backdoors for Windows, targeting the Indian public sector from July 2023.
Based in Pakistan, APT36 has a track record of conducting targeted espionage campaigns in South Asia. The Group has been active since 2013 and primarily targets the Indian government, defense and education sectors.
As a rule, APT36 uses specially developed remote administration tools for Windows, cyber espionage tools for Windows and Linux compiled in Python, C2 open source Mythic frameworks, Trojan application installers, including for Android, as well as phishing.
We will not dwell on the technical details in detail, but we note from the main point that the attacker has acquired an updated full-featured Windows (RAT), new tools for cyber espionage in Linux systems (GLOBSHELL, PYSHELLFOX), innovative distribution methods and additional attack vectors.
The new Windows RAT, called ElizaRAT, is delivered as a binary file .NET and establishes a C2 communication channel via the Telegram API, which allows attackers to exercise full control over the target endpoint.
Distributed through password-protected archives linked to Google Drive.
All binary files .NET files from 4 to 16 MB in size, compiled as Control Panel applets (CPL) and using the ".cpl " file extension. And this is the first time that APT36 uses the CPL file format for an attack.
To ensure that it is saved on the infected computer, the bot creates a Windows Shortcut file (LNK) in the startup directory.
A new attack vector was the use of Linux desktop record files targeting endpoints in the Indian government sector. So far, the research team has found three samples, each with 0 detections on VirusTotal.
At the same time, the attacker takes various tricks to hide any connection with Pakistan, carefully selecting infrastructure and artifacts to emulate that the actions were carried out from India.
However, in some cases, APT36 allowed the use of the same C2 infrastructure for both phishing attacks and the distribution of malicious binaries.
Such a sudden update is due to the fact, according to researchers, that Linux-based operating systems are widely used in the public sector of India, and according to the latest statement, the Maya OS will have to replace Microsoft Windows in the public and defense sectors.
Based in Pakistan, APT36 has a track record of conducting targeted espionage campaigns in South Asia. The Group has been active since 2013 and primarily targets the Indian government, defense and education sectors.
As a rule, APT36 uses specially developed remote administration tools for Windows, cyber espionage tools for Windows and Linux compiled in Python, C2 open source Mythic frameworks, Trojan application installers, including for Android, as well as phishing.
We will not dwell on the technical details in detail, but we note from the main point that the attacker has acquired an updated full-featured Windows (RAT), new tools for cyber espionage in Linux systems (GLOBSHELL, PYSHELLFOX), innovative distribution methods and additional attack vectors.
The new Windows RAT, called ElizaRAT, is delivered as a binary file .NET and establishes a C2 communication channel via the Telegram API, which allows attackers to exercise full control over the target endpoint.
Distributed through password-protected archives linked to Google Drive.
All binary files .NET files from 4 to 16 MB in size, compiled as Control Panel applets (CPL) and using the ".cpl " file extension. And this is the first time that APT36 uses the CPL file format for an attack.
To ensure that it is saved on the infected computer, the bot creates a Windows Shortcut file (LNK) in the startup directory.
A new attack vector was the use of Linux desktop record files targeting endpoints in the Indian government sector. So far, the research team has found three samples, each with 0 detections on VirusTotal.
At the same time, the attacker takes various tricks to hide any connection with Pakistan, carefully selecting infrastructure and artifacts to emulate that the actions were carried out from India.
However, in some cases, APT36 allowed the use of the same C2 infrastructure for both phishing attacks and the distribution of malicious binaries.
Such a sudden update is due to the fact, according to researchers, that Linux-based operating systems are widely used in the public sector of India, and according to the latest statement, the Maya OS will have to replace Microsoft Windows in the public and defense sectors.
