APT36 Enhances Tools for Attacking Indian Government Agencies

392/67 Wednesday, November 6, 2024

Check Point Research (CPR) recently revealed that over the past year, Pakistan’s APT36 threat group has developed a new version of the ElizaRAT malware with more sophisticated detection evasion techniques and added the ApoloStealer data theft functionality. This new toolkit targets Indian government agencies, military units, and diplomatic missions. The advanced methods employed by APT36 have made it challenging for defenders to detect these attacks, especially as the group utilizes legitimate communication platforms such as Google Drive and Slack, making network traffic tracking increasingly difficult.

Sergey Shykevich, Threat Intelligence Manager at Check Point, stated that the latest version of ElizaRAT can be customized to suit each specific target, complicating detection efforts. The malware is deployed in stages, ensuring defenders only detect partial components of the entire malware package. One of the recent upgrades involves using Google Drive as a C2 communication channel, with the malware introduced to target systems via CPL files attached to phishing emails. When these files are opened, the malware performs various actions, such as creating folders for malware operation, establishing persistence in the system, and registering the victim’s device with the control server. This allows attackers to remotely access data and control the victim’s device.

APT36, also known as Transparent Tribe or Mythic Leopard, has been identified as a prominent threat group targeting Indian government entities since 2013, with a focus on continuous intelligence gathering. Recently, CPR discovered that the group has started using a new USB stealer tool called ConnectX, which scans files on USBs and other external drives connected to compromised devices, posing a risk of sensitive data exposure. According to CPR’s report, APT36 continues to employ three main attack strategies: using Slack as a C2 infrastructure, deploying droppers to penetrate systems, and utilizing Google Drive as a C2 communication channel. Shykevich noted that the use of popular cloud services like these demonstrates the group’s intent to stealthily embed within network systems while expanding its attack toolkit for greater flexibility and reach.

Source https://www.darkreading.com/cyberattacks-data-breaches/apt36-refines-tools-attacks-indian-targets