The advanced permanent threat (APT) associated with Pakistan has been associated with the creation of a false site, which is masked by both the Post Sector Sector of India as part of the company Windows and Android in the country.
Cybersecurity Cybersecurity Company has attributed a company with average confidence to the actor’s threat called APT36which is also known as a transparent tribe.
A fraudulent site that mimics India Post, called “Postindia (.) Site”. Users who land on the Windows Systems site are offered to download the PDF document, while those who visit the Android device are submitted to the malicious app (“IndiaPost.apk”).
“When accessing the desktop, the site provides a malicious PDF file that contains”Clickfix“Tactics”, Cyfirma – Note. “The document instructs users to press the Win + R keys, insert the PowerShell command in the Run dialog and execute it – potentially breaking the system.”
EXIF data analysis related to the dropped PDF shows that it was created on October 23, 2024 by the author nicknamed “Pmil“A likely reference to the Pakistan Youth Laptop scheme. registered About a month on November 20, 2024.
The PowerShell code is designed to download the useful load on the next stage from the remote server (“88.22.245 (.) 211”, which is currently inactive.
On the other hand, when the same site is visited with Android, it calls on users to install their mobile app for “best experience”. After installing the application requires extensive permits that allow it to collect and highlight sensitive data, including contacts, current location and files from the external storage.
“The Android app changes its icon to mimic the non-professional Google Accounts icon to hide its activity, which makes it difficult to search and delete the app if they want to delete it,” the company said. “The app also has a feature to force users to accept permits when they are first denied.”
The malicious application is also designed to work in the background constantly even after rebooting the device while looking for permits to ignore the battery optimization.
“Clickfix is increasingly used by cybercriminals, fraudsters and accurate groups, as reported by other researchers who are watching its use in the wild,” Kephirir said. “This new tactic poses a significant threat as it can navigate both uninhabited and technological users that cannot be familiar with such methods.”