APT36, a Pakistan-based threat actor, has been actively targeting Indian entities with advanced malware like ElizaRAT, which constantly evolves, evades detection, and establishes persistent C2 communication to enable extensive cyber-espionage operations.
Transparent Tribe (APT36) has been actively targeting high-profile Indian entities in 2024, deploying the enhanced ElizaRAT malware with ApoloStealer, leveraging cloud services for C2, and demonstrating sophisticated evasion techniques.
ElizaRAT, a .NET-based RAT, leverages CPL files and cloud services for distribution and C2 by employing techniques like IWSHshell, SQLite, and unique victim IDs to establish persistence, collect sensitive data, and evade detection.
Its variant, SlackAPI.dll, leverages Slack channels as C2, infecting victims via CPL files, which steal user information, log activities, and execute commands received from the C2 server, posing a significant security threat.
SlackAPI.dll malware establishes two-way communication with the attacker through Slack’s API, allowing commands like file downloads, screenshot capture, system information gathering, and file uploads from the compromised machine.
ApoloStealer, recently deployed malware, targets Indian systems and exfiltrates sensitive files by leveraging techniques similar to Transparent Tribe malware, including file theft, C2 communication, and persistence mechanisms.
The malware focuses on specific file types from various locations, including Desktop, Downloads, OneDrive, and fixed drives, and sends the stolen data to a remote server.
The Circle ElizaRAT variant employs a sophisticated dropper to evade detection and establish persistence, which communicates with a VPS-based C2 server, mimicking SlackFiles behavior to execute malicious payloads.
Its variant targets Indian victims (checks time zone) by stealing user/machine names, IP, OS, and machine type, stores them in DLLs, and sends them along with a unique ID to a VPS server for further instructions.
The malware downloads files from specified URLs, extracts a SQLite DLL from downloaded ZIP files to the %appdata%\SlackAPI directory, and executes the SlackFiles.dll stealer, indicating a coordinated attack leveraging the Slack campaign’s infrastructure.
According to Check Point Research, the ElizaRAT variant uses a compromised Google Cloud service account to download next-stage payloads from specific VPS addresses upon receiving a “Transfer” command.
It downloads a file from a specified URL, extracts it using a given password, creates a scheduled task to run the extracted file every 5 minutes, and notifies a server about the successful operation.
While the ApoloStealer payload, disguised as Spotify-related files, leverages a scheduled task to execute and steal specific file types by creating a local SQLite database to store file metadata and exfiltrates targeted files, including sensitive documents and media, to a C2 server.
The Transparent Tribe employed ElizaRAT, a custom tool, to target specific entities associated with the group’s previous activities and used the alias “Apolo Jones” in various ways, including file attribution, password protection, and function naming, further linking it to the group’s operations.
APT36’s ElizaRAT variants, targeting Indian systems, verify system time zones and leverage cloud services for command and control, while recent updates, including the ApolloStealer payload, indicate a shift towards modular data exfiltration, enhancing the group’s intelligence gathering capabilities.