APT36 Goes Cloudy ElizaRAT Puts Indian Systems in the Crosshairs
Threat Group: APT36 (Transparent Tribe)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Windows, Linux-based espionage with cloud-based C2 communication
Malware Used: ElizaRAT, ApoloStealer
Threat Score: High (8.8/10) — Enhanced evasion and control tactics, leveraging multiple cloud services for concealment
Last Threat Observation: November 2024 (AlienVault, Check Point Research)
Overview
APT36, also known as Transparent Tribe, is a Pakistan-based APT group targeting Indian government and military entities. Recently, their campaigns have evolved to utilize ElizaRAT, a Remote Access Tool, now integrated with enhanced evasion techniques and sophisticated command-and-control (C2) communication strategies through cloud services like Google Drive, Telegram, and Slack. Notably, ElizaRAT has been paired with ApoloStealer payloads, allowing attackers to gather sensitive information from compromised systems. The RAT employs various techniques to avoid detection, including time zone checks to exclusively target Indian systems.
Key Details
- Platform and Development: .NET-based malware primarily targeting Windows systems, disguised as Control Panel applets (CPL), aiding in evasion.
- Distribution Methods: Phishing emails with password-protected archive files hosted on Google Drive, containing malicious CPL files. Recent versions leverage Slack, Google Drive, and Telegram for distribution and C2 operations.
- Execution Mechanism: Initiates through CplApplet() and MainAsync() functions to run core malicious activities.
- Command and Control (C2) Communication: Uses Telegram, Google Drive, and Slack for remote command execution and data exfiltration, creating a challenging detection landscape.
- Capabilities: Commands supported include:
/dir
: Directory listing/upload
: File exfiltration/getprocess
: Process listing/run
: Executes specified programs/delete
: Deletes specified files/end
: Terminates processes/online
: Checks system status/identity
: Connects to specified URLs/ping
: Verifies connectivity/scr
: Takes screenshots/createdir
: Creates directories- ApoloStealer Module: Captures system data and exfiltrates sensitive information, enhancing espionage capabilities.
- Persistence Mechanism: Uses a Windows shortcut (LNK) in the Startup directory, disguised as a legitimate application, to ensure activation at startup.
- Decoy Content: Displays a decoy PDF upon execution to simulate legitimate activity.
- Targeted Regions: Indian government and military sectors, specifically targeting Indian time zones as a method of regional exclusivity.
Attack Vectors
ElizaRAT’s recent variants emphasize evasion and regional targeting. Phishing emails deliver password-protected archives via Google Drive, deploying .NET CPL files for stealth. Leveraging multiple cloud services (Google Drive, Telegram, and Slack), ElizaRAT conducts C2 operations with agility, using VPS for secure, concealed communication channels. Time zone checks ensure attacks are targeted exclusively at Indian entities.
Known Indicators of Compromise (IoCs)
IP Addresses
- 84[.]247[.]135[.]235
- 143[.]110[.]179[.]176
- 38[.]54[.]84[.]83
- 64[.]227[.]134[.]248
- 83[.]171[.]248[.]67
File Hashes
MD5
- 009cb6da5c4426403b82c79adf67021c
- 0673341ccceeace3f0b268488f05db80
- 0cd16d0a2768b9ec0d980ccf875b2724
- 16ea7ce77c875a17049e9607323d1be4
- 1bac7ea5a9558d937eaf0682523e6a06
- 2b1101f9078646482eb1ae497d44104c
- 3a2c701408d94bbcdcf954793f6749bc
- 47990d1df44767ee3a6c4a6673ee76e9
- 58643299e340ae7b01efc67ef09ed369
- 730f708f2788fc83e15e93edd89f8c59
- 795d1be0915ec60c764b7a7aa6c54334
- 7ecaa3c5a647d671a9aa4369d4a43b83
- 8703b910ece27b578f231ce5eb1afd8f
- ab127d76a40f1cb0cfd81ba1e786d983
- af2ec3dcfdbb7771b0a7a3d2035e7e99
- b54512bf0ed75a9f2dee26a4166461a2
- b9d9e75a2e6b81277f2052a1f0b14e45
- d3fe72a3b9cb5055662e6a0e19b8f010
SHA1
- 0c9400e6b8c9244fd187a9f021d0da0b70b6f6fd
- 0db24c0a4dd12e5fa412434222d81de8e2de4b3c
- 115e612a4e653cd915d5fc07246a00369fe38cde
- 1fc28b9e902dd2a8b771b1dc7ec3a62ad04fb02b
- 2e8139275a48cd048c21e1942b673ae0781dd0b8
- 43ac372b9cd05eefae3f50a0e487562759f3b0d9
- 549d80d0d2c3e2cf3ea530f37bfc0b9fe0cbd5f4
- 6ac91c9e6beeacd74c56dfde9025e54e221b016c
- 86afc3e8046dfff3ec06bd50ae38f1da7797c3e2
- 88fd8d71d879257b6cbf2bc12b6493771b26d8a0
- b09d059e8d6b87f3a6165e4d71901187d0aa99d5
- b7814d9f6f2096f5a9573ade52547a447eff33bb
- bc62b98437abd81a1471633afb9cff5dd898cdf8
- c4c9aaeb74782cd9b5b8701d46e55cf299277215
- e5377172ee4bae1508405370ee41bee646837c04
- ee3162e649183490038da015e51750f23ae18d0f
- f7424286b6b5f8dbad86856ef178745e34c8e83a
- f98019e637a2ae58d54ff903770b35eefb106432
SHA256
- 06d9662572a47d31a51adf1e0085278e0233e4299e0d7477e5e4a3a328dea9d1
- 0a52c0ac04251ac1a8bc193af47f33136ae502b0c237de5236d1136acc3b1140
- 263f9e965f4f0d042537034e33699cf6d852fb8a52ac320a0e964ce96c48f5e5
- 2b6a273eae0fb1835393aea6c30521d9bf5e27421c2933bfb3beee8c5b27847e
- 308c84c68c18af8458ae61afe1f2eec78f229e188724e271bd192a144fd582fc
- 348c0980c61d7c682cce7521aaad13a20732f7115cb5559729b86ca255f1af7f
- 60b0b6755cf03ea8f6748a1e8b74a80a3d7637c986df64ee292f5ffefcd610a2
- 6296fb22d94d1956fda2a6a48b36e37ddd15cf196c434ab409c787bf8aa47ac3
- 6f839ded49ebf1dad014d79fbab396e2067c487685556a8402f3acdeb1600d98
- 70bafcf666e8e821212f55ea302285bb860d2b7c18089592a4a093825adbaa71
- 7e04e62f337c5059757956594b703fc1a995d436c48efa17c45eb0f80af8a890
- 8d552547fe045f6006f113527eb5dd4a8d5918c989bf11090c7cb44806d595be
- a7fd97177186aff9f442beb9da6b1ab3aff47e611b94609404e755dd2f97dce8
- b30a9e31b0897bfe6ab80aebcd0982eecf68e9d3d3353c1e146f72195cef0ef5
- b41e1d6340388b08694ae649a54fa09372f92f4038fd84259a06716fa706b967
- b9e10e83a270e1995acaceb88ce684fb97df6156a744565b20b6ec3bc08c2728
- d66ba4ee97a2f42d85ca383f3f61a2fac4f0b374aad1337f5f29245242f2d990
- dca78e069bfd9ca4638b4f9cb21dff721530d16924e502c03d8c9aa334b7ca0d
Mitigation and Prevention
- User Awareness: Equip users to recognize suspicious CPL files within archives, particularly from unverified Google Drive or Slack links.
- Email Filtering: Enforce strict email filters for attachments from cloud services or password-protected files.
- Endpoint Detection and Response (EDR): Use solutions capable of identifying unusual C2 activity and cloud service usage, particularly involving Telegram or Slack.
- Two-Factor Authentication (2FA): Deploy 2FA across sensitive accounts to secure access.
- Regular Log Reviews: Monitor logs for signs of unusual C2 communications using cloud services.
- System and Application Patching: Keep defenses updated, especially on Windows platforms, against CPL execution vulnerabilities and common RAT tactics.
Evolution and Adaptation
APT36’s tactics indicate a clear evolution in ElizaRAT’s capabilities, including the addition of Linux-compatible attack vectors. Through ApoloStealer, APT36 expands its espionage arsenal with enhanced data collection, while adopting new cloud-based C2 channels like Slack and Telegram. The group’s adaptability in leveraging accessible cloud infrastructure for C2 emphasizes the critical need for proactive defenses in targeted regions.
ATT&CK Techniques
Relevant MITRE ATT&CK IDs include:
- T1053.005 - Scheduled Task
- T1113 - Screen Capture
- T1033 - System Owner/User Discovery
- T1204.002 - Malicious File
- T1566.001 - Spearphishing Attachment
- T1082 - System Information Discovery
- T1071 - Application Layer Protocol
- T1140 - Deobfuscate/Decode Files
- T1036 - Masquerading
- T1016 - System Network Configuration Discovery
- T1083 - File and Directory Discovery
- T1057 - Process Discovery
- T1059.001 - PowerShell
- T1547.001 - Registry Run Keys / Startup Folder
- T1078 - Valid Accounts
- T1027 - Obfuscated Files or Information
- T1518.001 - Security Software Discovery
- T1105 - Ingress Tool Transfer
Podcast Discussion
For expert insights, listen to our latest podcast episode on APT36’s evolution and ElizaRAT’s expanding tactics across cloud infrastructures.
Conclusion
ElizaRAT’s evolution highlights APT36’s commitment to advanced espionage in India. Its sophisticated use of cloud services for C2, integration of ApoloStealer, and regional targeting tactics require heightened vigilance. Through proactive monitoring, employee education, and layered defense strategies, organizations can improve resilience against APT36’s advanced tactics.
Sources:
- Check Point Research — Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT
- Open Security Labs - APT36’s Cyber Arsenal: ElizaRAT and Innovative Linux Attack Vectors
- Zscaler ThreatLabz — A peek into APT36’s updated arsenal