APT36 Hackers Delivering ElizaRAT Abusing Google Drive & Slack

APT36, a Pakistan-based threat actor, has been actively targeting Indian entities with advanced malware like ElizaRAT, which constantly evolves, evades detection, and establishes persistent C2 communication to enable extensive cyber-espionage operations. 

Transparent Tribe (APT36) has been actively targeting high-profile Indian entities in 2024, deploying the enhanced ElizaRAT malware with ApoloStealer, leveraging cloud services for C2, and demonstrating sophisticated evasion techniques.

ElizaRAT, a .NET-based RAT, leverages CPL files and cloud services for distribution and C2 by employing techniques like IWSHshell, SQLite, and unique victim IDs to establish persistence, collect sensitive data, and evade detection.

 An HTTP stream example of the malware’s communication.

Its variant, SlackAPI.dll, leverages Slack channels as C2, infecting victims via CPL files, which steal user information, log activities, and execute commands received from the C2 server, posing a significant security threat.

SlackAPI.dll malware establishes two-way communication with the attacker through Slack’s API, allowing commands like file downloads, screenshot capture, system information gathering, and file uploads from the compromised machine.

ApoloStealer, recently deployed malware, targets Indian systems and exfiltrates sensitive files by leveraging techniques similar to Transparent Tribe malware, including file theft, C2 communication, and persistence mechanisms. 

The malware focuses on specific file types from various locations, including Desktop, Downloads, OneDrive, and fixed drives, and sends the stolen data to a remote server.

Circle Infection Chain.

The Circle ElizaRAT variant employs a sophisticated dropper to evade detection and establish persistence, which communicates with a VPS-based C2 server, mimicking SlackFiles behavior to execute malicious payloads.

Its variant targets Indian victims (checks time zone) by stealing user/machine names, IP, OS, and machine type, stores them in DLLs, and sends them along with a unique ID to a VPS server for further instructions.

The malware downloads files from specified URLs, extracts a SQLite DLL from downloaded ZIP files to the %appdata%\SlackAPI directory, and executes the SlackFiles.dll stealer, indicating a coordinated attack leveraging the Slack campaign’s infrastructure.

 Google Drive-based Campaign Infection Chain.

According to Check Point Research, the ElizaRAT variant uses a compromised Google Cloud service account to download next-stage payloads from specific VPS addresses upon receiving a “Transfer” command. 

It downloads a file from a specified URL, extracts it using a given password, creates a scheduled task to run the extracted file every 5 minutes, and notifies a server about the successful operation.

While the ApoloStealer payload, disguised as Spotify-related files, leverages a scheduled task to execute and steal specific file types by creating a local SQLite database to store file metadata and exfiltrates targeted files, including sensitive documents and media, to a C2 server. 

The text blob used to hide some strings in the payload, split by space.

The Transparent Tribe employed ElizaRAT, a custom tool, to target specific entities associated with the group’s previous activities and used the alias “Apolo Jones” in various ways, including file attribution, password protection, and function naming, further linking it to the group’s operations. 

APT36’s ElizaRAT variants, targeting Indian systems, verify system time zones and leverage cloud services for command and control, while recent updates, including the ApolloStealer payload, indicate a shift towards modular data exfiltration, enhancing the group’s intelligence gathering capabilities.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here