Introduction

Transparent Tribe [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as APT36 [2] [4] [5] [6] [8], is a sophisticated advanced persistent threat (APT) group affiliated with Pakistan. Over the past decade [9], it has intensified its cyber espionage activities against Indian-associated entities, including government organizations [6] [8], military facilities [2] [6] [8] [9], and diplomatic personnel [2] [5] [6] [9]. Recently, the group has introduced a new malware, ElizaRAT [1] [2] [3] [4] [5] [6] [7] [8] [9], which has been used in several successful campaigns targeting these entities. This malware has evolved significantly [8], showcasing increased sophistication in its execution methods [8], detection evasion [2] [4] [8], and command-and-control (C2) capabilities [5] [6] [8] [9].

Description

Transparent Tribe [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as APT36 [2] [4] [5] [6] [8], is a sophisticated Pakistan-affiliated advanced persistent threat (APT) group that has significantly escalated its cyber espionage activities against Indian-associated entities, including governmental organizations [6] [8], military facilities [2] [6] [8] [9], and diplomatic personnel [2] [5] [6] [9], for over a decade [9]. Recently, the group has employed a new malware named ElizaRAT in several successful campaigns targeting these entities [6]. Since at least September 2023 [4], ElizaRAT has evolved considerably [2] [6], demonstrating increased sophistication in its execution methods [5] [6] [8], detection evasion [2] [4] [8], and command-and-control (C2) capabilities [5] [6] [8] [9].

Primarily developed in .NET [7], ElizaRAT targets Windows systems and often disguises itself as Control Panel applets (CPL) to evade detection [7]. Infections typically begin with CPL files distributed through spear-phishing emails containing malicious attachments or password-protected archives hosted on Google Drive. Once executed, these CPL files initiate the malware infection [9], granting remote access to the attackers and enabling core malicious activities such as directory listing, file exfiltration [2] [3] [7] [8] [9], process listing [7], and taking screenshots [7]. The malware employs advanced evasion techniques [7], including the use of X.509 certificates for authentication, and utilizes popular cloud services like Google Drive, Slack [1] [2] [4] [5] [7] [8], and Telegram for covert communication, which aids in avoiding detection.

All variants of ElizaRAT are programmed to verify that the infected systems are set to India Standard Time, underscoring the group’s clear focus on Indian targets. From late 2023 to early 2024 [5] [8], Transparent Tribe executed three distinct campaigns, each utilizing different versions of ElizaRAT to extract sensitive information from compromised systems [5]. The first campaign [5], referred to as the Slack campaign [4], involved the use of Slack channels for C2 communications and introduced a new payload named ApolloStealer [5], designed to create a local database of files on the victim’s device and exfiltrate them to an external server controlled by the attackers [1].

The second campaign [5], dubbed “Circle,” began in January 2024 and featured enhanced evasion capabilities [5], employing a dropper component that deploys decoy files [1], including PDF and MP4 formats, while collecting information on the victim’s IP address and timezone [1]. This variant also checks for India Standard Time and can execute commands from the attacker, further refining its operational effectiveness. The third campaign continued to utilize Google Drive for C2 functions and deployed specialized payloads aimed at information theft [5], including a new USB stealer called ConnectX [9], which examines files on external drives connected to compromised devices [9].

These advancements in ElizaRAT reflect APT36’s strategic refinement of its malware capabilities [2], demonstrating an increasing sophistication in its cyber espionage tactics [5]. The integration of ApolloStealer and ConnectX into their arsenal further enhances their espionage capabilities [7], emphasizing the need for proactive defenses among targeted organizations [7]. APT36’s multi-faceted attack strategy [1], which includes social engineering tactics such as distributing malicious PDFs and ZIP files [1], highlights its focus on data theft and intelligence gathering [1] [3], particularly within the Indian governmental and technology sectors [1], posing a significant threat to Indian cybersecurity defenses [1].

Conclusion

The evolution of ElizaRAT and its deployment in various campaigns underscore the growing threat posed by APT36 to Indian cybersecurity. The group’s ability to adapt and enhance its malware capabilities necessitates robust and proactive defense measures from targeted organizations. As APT36 continues to refine its tactics, it is crucial for Indian entities to strengthen their cybersecurity frameworks, invest in advanced threat detection technologies, and foster collaboration with international cybersecurity agencies to mitigate potential threats. The ongoing developments in APT36’s strategies highlight the importance of vigilance and preparedness in safeguarding sensitive information and maintaining national security.

References

[1] https://cybermaterial.com/apt36-targets-windows-devices-with-elizarat/
[2] https://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/
[3] https://gbhackers.com/apt36-elizarat-windows-attacks/
[4] https://www.infosecurity-magazine.com/news/pakistan-hackers-high-profile/
[5] https://www.isss.org.uk/news/explained-how-pakistani-hackers-are-using-elizarat-virus-to-target-india/
[6] https://webboard-nsoc.ncsa.or.th/topic/1412/cyber-threat-intelligence-05-november-2024
[7] https://cybersecsentinel.com/apt36-goes-cloudy-elizarat-puts-indian-systems-in-the-crosshairs/
[8] https://digitalterminal.in/trending/check-point-research-exposes-pakistan-linked-apt36s-new-malware-targeting-indian-systems
[9] https://www.darkreading.com/cyberattacks-data-breaches/apt36-refines-tools-attacks-indian-targets