High-profile organizations in India have been targeted by malicious campaigns organized by Pakistan Transparent tribe threat actor and previously unknown cyber espionage group with China Nexus called IcePeony.
The intrusions linked to Transparent Tribe include the use of malware called ElizaRAT and a new stealth payload called ApoloStealer on specific victims of interest, Check Point said in a white paper published this week.
“The ElizaRAT samples point to the systematic abuse of cloud services, including Telegram, Google Drive and Slack, to facilitate command-and-control communication,” the Israeli company said. said.
ElizaRAT is a Windows Remote Access Tool (RAT) that was Transparent Tribe observed for the first time use in July 2023. in cyber attacks targeting India’s public sectors. Active since at least 2013, the adversary also goes by the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.
Its arsenal of malware includes Windows hacking tools, Androidand Linux devices. The increased focus on Linux machines is motivated by the Indian government’s use of a custom fork of Ubuntu called Ubuntu My OS since last year.
Infection chains are initiated by control panel (CPL) files, which are likely distributed using phishing methods. In the period from December 2023. until August 2024. observed as many as three different companies using RATs, each using Slack, Google Drive, and a virtual private server (VPS) for command and control (C2).
ApoloStealer is designed to collect files matching multiple extensions (such as DOC, XLS, PPT, TXT, RTF, ZIP, RAR, JPG, and PNG) from a compromised host and dump them on a remote server.
They say that in January 2024 the threat creator has changed its modus operandi to include a dropper component that keeps ElizaRAT running smoothly. Recent attacks have also seen an additional theft module, codenamed ConnectX, which is designed to search for files on external drives such as USB.
The abuse of legitimate services Widespread use in enterprise environments increases the threat as it complicates detection and allows threat actors to blend in with legitimate activity on the system.
“The development of ElizaRAT reflects a deliberate effort by APT36 to refine its malware to better evade detection and effectively target Indian organizations,” Check Point said. “The introduction of new payloads like ApolloStealer represents a significant expansion of APT36’s malware arsenal and suggests the group is taking a more flexible, modular approach to payload deployment.”
IcePeony haunts India, Mauritius and Vietnam
The disclosure comes weeks after research group nao_sec discovered that an Advanced Persistent Threat Group (APT), which it calls IcePeony, targeted government agencies, academic institutions and political organizations in countries such as India, Mauritius and Vietnam , at least from 2023.
“Their attacks usually start with SQL injection, followed by compromise via web shells and backdoors,” said security researchers Rintaro Koike and Shoto Nakajima. “Ultimately, they’re aimed at stealing credentials.”
One of the most noteworthy tools in its malware portfolio is IceCache, which is designed to target Microsoft Internet Information Services (IIS) specimens. An ELF binary file written in the Go programming language is a custom version with reGeorg a web shell with added file transfer and command execution features.
The attacks are also characterized by the use of a unique backdoor in passive mode called IceEvent, which provides the ability to upload/download files and execute commands.
“It seems that attackers work six days a week,” the researchers note noted. “Although they are less active on Fridays and Saturdays, their only full day off seems to be Sunday. This investigation shows that the attackers are not carrying out these attacks as personal acts, but are instead engaging in them as part of organized, professional operations. “