Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Indian Organizations. Show all posts

Check Point Uncover Pakistan-Linked APT36’s New Malware Targeting Indian Systems

 

Pakistan's APT36 threat outfit has been deploying a new and upgraded version of its core ElizaRAT custom implant in what looks to be an increasing number of successful assaults on Indian government agencies, military entities, and diplomatic missions over the last year. 

Cybersecurity researchers at Check Point Research (CPR) identified that the latest ElizaRAT variant includes new evasion strategies, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it more difficult for defenders to spot the malware.

A new stealer payload known as ApoloStealer has been used by APT36 to collect specified file types from compromised systems, retain their metadata, and transport the data to the attacker's C2 server, therefore increasing the risk. 

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," stated Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal.”

The threat group's use of legitimate software, living off the land binaries (LoLBins), and lawful C2 communication services such as Telegram, Slack, and Google Drive complicates the situation. According to Shykevich, the adoption of these services has made it much more difficult to monitor malware transmissions in network traffic. 

APT36, also known as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard by security vendors, is a Pakistani threat group that has predominantly targeted Indian government and military entities in intelligence gathering operations from about 2013. Like many other tightly focused threat groups, APT36's attacks have occasionally targeted organisations in other nations, such as Europe, Australia, and the United States.

The malware that the threat actor now possesses comprises tools for infiltrating Android, Windows, and increasingly Linux devices. BlackBerry revealed earlier this year that in an APT36 campaign, ELF binaries (Linkable Executable and Linkable Format) accounted for 65% of the group's attacks against Maya OS, a Unix-like operating system created by India's defence ministry as a Windows substitute. Additionally, SentinelOne reported last year that APT36 was spreading the CopraRAT malware on Android devices owned by Indian military and diplomatic personnel by using romantic lures. 

ElizaRAT is malware that the threat actor included in their attack kit last September. The malware has been propagated using phishing emails that include links to malicious Control Panel files (CPL) hosted on Google Storage. When a user opens the CPL file, code is executed that starts the malware infection on their device, potentially granting the attacker remote access or control of the system. 

Over the last year, Check Point analysts detected APT36 operators using at least three different versions of ElizaRAT in three consecutive campaigns, all of which targeted Indian businesses. The first was an ElizaRAT variation that utilised Slack channels for C2 infrastructure. APT36 began employing that variation late last year, and approximately a month later began deploying ApoloStealer with it. 

Starting early this year, the threat group began using a dropper component to discreetly drop and unpack a compressed file carrying a new and enhanced version of ElizaRAT. The new variation, like its predecessor, initially checked to see if the machine's time zone was configured to Indian Standard Time before executing and engaging in malicious behaviour.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR noted in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.”

CERT-In Warns Of 'Royal Ransomware' Virus Attacking India's Critical Sectors

 

Indian citizens and organisations have been alerted about the Royal Ransomware virus by the Indian Computer Emergency Response Team (CERT-In). 

This malicious malware targets key infrastructure industries, such as manufacturing, communications, healthcare, and education, as well as individuals, encrypting their files and requesting payment in Bitcoin to prevent the release of private information to the public. 

The CERT-In advisory claims that the RDP (remote desktop protocol) abuse, phishing emails, malicious downloads, and other forms of social engineering are all ways the Royal Ransomware infection spreads. This virus was discovered for the first time in January 2022, and it started to spread around September of last year, at which point the US government began to issue advisories against its expansion.

The report also disclosed that the threat actors employ a number of strategies to trick victims into installing remote access malware as part of callback phishing. In order to prevent recovery, the virus encrypts the data and deletes shadow copies once it has infected the system. 

The Royal Ransomware virus contacts the victim directly via a.onion URL route (dark web browser), thus it doesn't reveal information like the ransom amount or any instructions. Additionally, the malware gains access to the domain controller exfiltrates a sizable amount of data before encryption, and disables antivirus protocols.

Prevention Tips

CERT-In has suggested a set of countermeasures and internet hygiene guidelines protect against this and similar ransomware attacks. These precautions include keeping backup data offline, frequently maintaining backup and restore, enabling protected files in Windows, blocking remote desktop connections, utilising least-privileged accounts, and restricting the number of users who can access resources via remote desktop. 

Other best practices include keeping anti-virus software up to current on computer systems, avoiding clicking on links in unwanted emails, and encrypting all backup data such that it is immutable (cannot be changed or removed) and covers the entire organization's data architecture. 

People and organisations should exercise caution and take the appropriate safety measures to protect themselves from this deadly virus. Following the suggested rules can help prevent data loss and lower your chances of suffering financial and reputational harm.