Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Pakistan Hacker. Show all posts

Check Point Uncover Pakistan-Linked APT36’s New Malware Targeting Indian Systems

 

Pakistan's APT36 threat outfit has been deploying a new and upgraded version of its core ElizaRAT custom implant in what looks to be an increasing number of successful assaults on Indian government agencies, military entities, and diplomatic missions over the last year. 

Cybersecurity researchers at Check Point Research (CPR) identified that the latest ElizaRAT variant includes new evasion strategies, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it more difficult for defenders to spot the malware.

A new stealer payload known as ApoloStealer has been used by APT36 to collect specified file types from compromised systems, retain their metadata, and transport the data to the attacker's C2 server, therefore increasing the risk. 

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," stated Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal.”

The threat group's use of legitimate software, living off the land binaries (LoLBins), and lawful C2 communication services such as Telegram, Slack, and Google Drive complicates the situation. According to Shykevich, the adoption of these services has made it much more difficult to monitor malware transmissions in network traffic. 

APT36, also known as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard by security vendors, is a Pakistani threat group that has predominantly targeted Indian government and military entities in intelligence gathering operations from about 2013. Like many other tightly focused threat groups, APT36's attacks have occasionally targeted organisations in other nations, such as Europe, Australia, and the United States.

The malware that the threat actor now possesses comprises tools for infiltrating Android, Windows, and increasingly Linux devices. BlackBerry revealed earlier this year that in an APT36 campaign, ELF binaries (Linkable Executable and Linkable Format) accounted for 65% of the group's attacks against Maya OS, a Unix-like operating system created by India's defence ministry as a Windows substitute. Additionally, SentinelOne reported last year that APT36 was spreading the CopraRAT malware on Android devices owned by Indian military and diplomatic personnel by using romantic lures. 

ElizaRAT is malware that the threat actor included in their attack kit last September. The malware has been propagated using phishing emails that include links to malicious Control Panel files (CPL) hosted on Google Storage. When a user opens the CPL file, code is executed that starts the malware infection on their device, potentially granting the attacker remote access or control of the system. 

Over the last year, Check Point analysts detected APT36 operators using at least three different versions of ElizaRAT in three consecutive campaigns, all of which targeted Indian businesses. The first was an ElizaRAT variation that utilised Slack channels for C2 infrastructure. APT36 began employing that variation late last year, and approximately a month later began deploying ApoloStealer with it. 

Starting early this year, the threat group began using a dropper component to discreetly drop and unpack a compressed file carrying a new and enhanced version of ElizaRAT. The new variation, like its predecessor, initially checked to see if the machine's time zone was configured to Indian Standard Time before executing and engaging in malicious behaviour.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR noted in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.”

LK Advani's official website hacked by Pakistani Hacker

Screenshot of Defacement

The next day after Bihar BJP's official website get hacked by hacker claimed to be from Pakistan, the official website of Senior BJP Leader LK Advani (www.lkadvani.in) also got defaced by the same hacker.

The hacker who called himself Muhammad Bilal began the defacement message by saying "I'M Back ;D gOOd mOrNing Narendra Modi".  The hacker also wrote "Free Kashmir..Freedom is our goal."

The hacker also claimed to have defaced the websites of Bharti Janta Party In Lok Sabha and Bharti Janta Party In Rajya Sabha.

A screenshot published in the hacker's profile shows that he also gained access to the database server.  The accessed information includes email IDs, hashed-passwords, phone numbers and other details.

At the time of writing, the LK Advani's website is down for maintenance.

Bihar BJP website hacked and defaced by Pakistani Hackers

Bharatiya Janata Party's(BJP) website once again has been targeted by hackers claimed to be from Pakistan.

This time, a hacker named Muhammad Bilal from Pak Cyber Experts group breached the official Bihar Bjp website(www.biharbjp.org) and defaced the home page.

The defacement contains a picture of person standing on Narendra Modi's photo and posted some comments.  The hacker also called India as Stupid.

"I just woke up for reading Namaz. I just thought i will check BJP website :D good site it was :( then my mind changed :( i thought to write 'Pakistan Army' or 'pakistan zindabad' on the site of people who say [redacted] about Pakistan." defacement message reads(translated).

The hacker has a past history of attacking Indian websites and Modi's related websites.

This is not the first time BJP's websites being defaced by Pakistani Hackers.  Earlier this month, hacker with online handle 'Sniper Haxxx' defaced the BJP Junagadh unit's website.

It seems like the website was defaced before 14 hours. The website is still showing the defacement. You can find the mirror of the defacement here: http://zone-h.com/mirror/id/22233554

BSNL subdomain's defaced by "Kai-h4xOrR And Trojan"



Two Pakistani hackers called "Kai-h4xOrR And Trojan" have managed deface some webpages of BSNL's sub-domains.

The defaced pages are:
http://learntelecom.bsnl.co.in/acp_main_module/schedule_list.asp
http://www.vas.bsnl.co.in/vas/contact_us.jsp?cir=11

They left the following message: "Team MaXiMiZerSOp# Free For Kashmir"

BSNL has very bad track record with security it has been defaced multiple times in the past few years.

Mirrors:http://zone-h.com/mirror/id/22021830

http://zone-hc.com/archive/mirror/d0abab6_learntelecom.bsnl.co.in_mirror_.html

http://zone-hc.com/archive/mirror/ea72f34_vas.bsnl.co.in_mirror_.html

Two more Indian Government websites hacked by Pakistani Hackers


In last few days, several Pakistani hacker groups have defaced plenty of Indian government websites.  Pakistan Haxors CREW is one of the group targeting the Indian websites.

The group today hacked into two Indian government websites: West Bengal State Coastal Zone Management Authority and Damodar Valley Corporation .

At the time of writing, 'wbsczma.gov.in' still showing the defacement while the 'portal.dvc.gov.in' went offline.  The group also claimed to have dumped the database. 

Today, another group named as "Team MaXiMiZerS" have defaced two India's Kerala state government websites along with hundreds of other websites.

Last night, Voice Of Black Hat Hackers group from Pakistan hacked two India's Rajasthan state government websites.

State Bank of Patiala hacked and defaced by Pakistani Hacker

A Pakistani hacker with the online handle " Kai-H4xOrR" from PAKISTAN HAXORS CREW(PHC), has hacked into the State Bank of Patiala(SBP) sub-domain and managed to deface the website.

In the defacement page, hacker stated that the security breach is payback "For Hacking Sui Gas Site".

"And Dont mess with Pakistan else you will lose both your Name and this Game   Backoff Lamers from our cyber space. Everybody Knows whose cyber space is more vulnerable" The defacement message reads.



"You will hack 1, we will hack thousands" hacker sent a warning message to Indian Hackers who deface Pakistani websites.  

The hacker has uploaded his defacement here: "https://hindi.sbp.co.in/index.html".  The main page and other pages are not affected by this defacement.  At the time of writing, the website still displays the defacement.

15 Goa Government Websites hacked by Pakistani Hacker "H4x0r HuSsY"

 

A Hacker with Handle "H4x0r HuSsY" from Pakistan has managed to take control of few Indian Government websites and has defaced them.  All of the hacked websites are belong to Goa State.

The affected websites includes NRI Commission of Goa(nri.goa.gov.in), Directorate of Agriculture(www.agri.goa.gov.in), Directorate of Art and Culture(artandculture.goa.gov.in/uploads/index.html), Department of Information and Publicity(artandculture.goa.gov.in/uploads/index.html), Directorate of Fire & Emergency Service(goadfes.gov.in/media/index.php), Goa Dental College(gdch.goa.gov.in), Government Printing Press & Stationery(goaprintingpress.gov.in).

Other affected websites: dfda.goa.gov.in,dsya.goa.gov.in, Deapartment of Labour & Employment(labour.goa.gov.in), Captain of Ports Department(ports.goa.gov.in), River Navigation Department Goa(rnd.goa.gov.in/uploads/index.php), Department of Sainik Welfare Govt. of Goa(www.dosw.goa.gov.in), socialwelfare.goa.gov.in/media/index.php, Department of Tourism(goatourism.gov.in/images/index.php)

This is not the first time Indian websites being hacked by this hacker.  In the past, he hacked into a number of Indian Government websites and left them defaced.

Update
"We have pulled them completely down now" the spokesperson told local Media, adding that a complaint would be lodged with Goa Police's cyber cell soon.

Rajasthan Public Service Commission website hacked by Codacker



The official website of Rajasthan Public service commission(RPSC) was found to be hacked and defaced by the Pakistani hacker named "Codacker" with the message "Pakistan Zindabad".

The hacker placed two links in the News section that leads to the defacement page.  According to the TOI report, the website was restored by the admin and changed the password of the website.

"We also put the websites on surveillance and have reported to the IT ministry,"K K Pathak, secretary of RPSC told Times of India.

But it doesn't seem like they have fully restored the website.  At EHN, we are still able to see the defacement page uploaded at the "http://rpsc.rajasthan.gov.in/index.html".

"Codacker is here.  Hey Admin! I own you now.  Feel the wrath of Pakistani Hacker" the defacement message reads.

Changing the password alone won't help in stopping the hackers.  They should identify the vulnerability that allowed the hacker to breach the website and patch that vulnerability.

Egypt Government, University and 180+ other sites hacked by P@KhTuN


A Pakistani Hacker named "P@KhTuN~72" from hacker team "Pak Cyber Eaglez" has targeted the Egyptian websites and took control of about 200 Egypt websites.

After breaching the websites, they have managed to upload "index.html" or "pce.html" that has the defacement page.  In most of the cases, the hacker uploaded the pce.html file. They left the main page as it is.

The hacked sites includes one Government website "General Authority For Supply Commodities(gasc.gov.eg),   one university website "elmaref.edu.eg" and other 180+ websites.

Hacker didn't mention any specific reason for attacking those websites. At the time of writing, we are still able to see the defacement page.  The full list of hacked site with mirror can be found here: pastebin.com/C0b6AyXa

Hacked Bangladeshi Police site restored by Bangladesh Grey Hat Hackers


The Bangladeshi hacker group known as "Bangladesh Grey Hat hackers(BGHH) has claimed to have restored two Bangaldeshi Government websites after it got hacked by Pakistani hackers.

BGHH hacked the websites belong to Panchagarh Govt. Girls' High School(pgghs.edu.bd) and Chittagong Range Police(ctgrangepolice.gov.bd). The hacker defaced those websites and left a security tips to administrators to secure their websites.

"This Web site has been hacked by Pakistani hackers. 's Server has root access to the server and access them. Saitai on any web server that allows the hacker to the server by hand and some government websites, including that of the total 341 websites are hosted. All together, the hacker also deleted the web saitakei diphesa or Truly it. In addition to these important seyararda server hosting the website is not secure and is done emerikaya server location." The hacker said int he defacement page(translated).

The hacker claimed that they are using plain-text passwords and recommended them to use encrypted passwords, also suggested to use SSL.

"We request all the site Admin's to secure their site.. We are always there to secure Bangladeshi Cyber Space..." Hacker said in the email sent to EHN.

At the time of writing, the administrator of School websites has taken the site offline but the Police websites still shows the defacement page(ctgrangepolice.gov.bd/psc/)

India Results website hacked by Pakistan Hacker Hitcher


A Pakistani Hacker known as Hitcher has breached IndiaResults.com - No.1 Indian Portal for Boards & University Exam Results and Educational/Career.

Similar to BRBRAITT site attack, the hacker  defaced the website and published the database contents in the defacement page itself.

The database dump contains the Name, phone nunber , address and other details. There is no password leaked in the dump.

You can see the defacement page here:
http://ser1.indiaresults.com/%2C/
In an email sent to EHN, the hacker provided the database as XLSX sheet.  It seems like the compromised database is the database which stores the Feedback form data.

At the time of press time, we are still able to see the defacement page.  The mirror of the defacement can be found here:
http://www.th3mirror.com/mirror/id/222665/