APT36 Escalates Cyber Attacks on Indian Defense with Advanced Linux Malware
APT36, also known as Transparent Tribe, has intensified its cyber-espionage operations against Indian defense and government sectors by deploying sophisticated cross-platform malware, including new tools targeting Linux systems. A recent report by Aryaka Threat Research Labs sheds light on these stealthy Remote Access Trojans (RATs) designed for persistent access and data exfiltration.
Spear-Phishing Tactics and Payload Delivery
The group employs spear-phishing emails embedded with malicious LNK, HTA, ELF binaries, and PPAM files to infiltrate both Windows and Linux environments. In recent campaigns, APT36 has utilized trusted Indian domains, such as innlive.in, to host and deliver their payloads. These attacks have evolved to include in-memory execution, encrypted command-and-control (C2) communications, and systemd-based persistence mechanisms, enabling long-term access to compromised systems.
Deployment of Ares RAT on Linux Systems
A notable aspect of APT36’s strategy is the deployment of a UPX-packed Go-based ELF downloader that creates a concealed directory within the user’s home folder. This downloader retrieves three critical files from innlive.in:
– gkt3.1: A PyInstaller-packed Ares RAT ELF binary.
– gkt3.sh: A shell script designed to establish persistence via systemd user services.
– Decoy PDF: A document intended to distract the user while the malware executes in the background.
The systemd service is configured to automatically launch gkt3.1 upon user login, ensuring the RAT remains active even after system reboots.
Technical Breakdown of Ares RAT
Ares RAT, a Python-based Remote Access Trojan, initiates by capturing system information, including platform details, hostname, username, and a unique identifier. It performs a comprehensive enumeration of the home directory, saving the results to a temporary file before exfiltrating the data to the C2 server.
The RAT operates in an infinite loop, periodically polling the C2 server’s /hello endpoint for commands. The range of commands includes:
– cd: Change the current working directory.
– upload: Send a local file to the C2 server.
– download: Retrieve a file from the C2 server.
– listall: Recursively list files and exfiltrate the list.
– screenshot: Capture and send a screenshot.
– persist: Establish persistence on the infected system.
Parallel Attacks on Windows Systems
Simultaneously, APT36 targets Windows systems using LNK shortcuts that invoke mshta.exe to fetch JavaScript from compromised sites like sifi.co.in. This leads to XAML deserialization and in-memory .NET deserialization, culminating in the deployment of GETA RAT. GETA RAT utilizes AES-encrypted TCP communications on ports such as 8621, with functionalities including process termination, screenshot capture, shell command execution, and file operations. Persistence is achieved through mechanisms like the Startup folder, registry modifications, and checks for antivirus software such as Kaspersky and Quick Heal.
Introduction of Desk RAT via PPAM Lures
APT36 also employs a Go-based Desk RAT delivered through PPAM file lures titled Project Vijayak BRO Updates. These files contain VBA macros that automatically execute to fetch ZIP files from domains like defenceindia.siteteamindia. Desk RAT profiles system resources, establishes persistence via registry run keys, determines the public IP address, and enriches geolocation data. It communicates with the C2 server using WebSocket protocols, sending telemetry data and executing commands such as file browsing and uploading.
Indicators of Compromise and Defensive Measures
The malware exhibits specific behaviors that can serve as indicators of compromise:
– Linux Droppers: Show fixed timing and beaconing patterns; Ares RAT uses predictable /report uploads.
– GETA RAT: Displays consistent packet gaps for screenshots and fixed-length commands post-encryption.
– Desk RAT: Utilizes WebSocket communications with 30-second heartbeats.
Identified indicators of compromise include IP addresses 65.109.190.120 and 2.56.10.86, as well as file hashes like d33ad6ed76cdd0b036af466d69a6ff50 associated with Desk RAT.
To mitigate these threats, organizations are advised to:
– Block Malicious Domains: Prevent access to domains such as innlive.in and sifi.co.in.
– Monitor System Processes: Keep an eye on processes like mshta.exe, systemd services, and WebSocket upgrades for unusual activity.
– Implement Network Security Measures: Utilize DNS security gateways to detect phishing attempts and intrusion detection/prevention systems to identify beaconing and encrypted C2 anomalies.
Aryaka recommends adopting a Unified Secure Access Service Edge (SASE) approach, integrating next-generation firewalls, antivirus solutions, and comprehensive traffic inspection to reduce the dwell time of such threats.
Conclusion
APT36’s recent campaigns underscore a significant escalation in their cyber-espionage activities, particularly through the deployment of advanced Linux-targeting malware. Their use of cross-platform tools and sophisticated persistence mechanisms highlights the evolving nature of cyber threats facing Indian defense and government sectors. Proactive monitoring, robust security protocols, and user education are essential in mitigating the risks posed by such advanced persistent threats.
