Pakistan’s APT36 threat group has recently been identified using an advanced version of its ElizaRAT custom implant to launch a series of successful cyberattacks on Indian government agencies, military entities, and diplomatic missions. This new variant of the ElizaRAT malware includes updated evasion techniques, enhanced command-and-control capabilities, and an additional dropper component that makes it more challenging for cybersecurity defenders to detect and mitigate the threat.
According to researchers at Check Point Research (CPR), the latest ElizaRAT variant also includes a new stealer payload known as ApoloStealer. This new addition allows APT36 to collect specific file types from compromised systems, store their metadata, and transfer the stolen information to the attacker’s C2 server. The use of ApoloStealer enables APT36 to target and extract sensitive data from the compromised systems, further enhancing their cyber espionage capabilities.
Sergey Shykevich, the threat intelligence group manager at Check Point Software, highlighted the significance of APT36’s new stealer payload. He noted that the introduction of ApoloStealer allows the threat group to adopt a “step-by-step” approach in deploying malware tailored to specific targets. This method ensures that even if defenders detect their activities, they may only uncover a portion of the overall malware arsenal, making it more challenging to fully eradicate the threat.
One of the key challenges posed by APT36 is their use of legitimate software, living off the land binaries (LoLBins), and popular services like Telegram, Slack, and Google Drive for command-and-control communications. This tactic significantly complicates the task of tracking malware communications within network traffic, making it harder for defenders to identify and block malicious activity effectively.
Known by various aliases such as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, APT36 is a Pakistani threat group that has been targeting Indian government and military entities since around 2013. While their primary focus remains on Indian organizations, APT36 has conducted intelligence gathering operations against entities in other countries, including Europe, Australia, and the US.
The threat actor’s malware portfolio includes tools designed to compromise Windows, Android, and Linux devices. Recent reports have highlighted APT36’s use of ELF binaries to target Maya OS, an alternative operating system developed by India’s defense ministry. Additionally, APT36 has been observed using deceptive tactics, such as romantic lures, to spread malware on Android devices belonging to Indian diplomatic and military personnel.
ElizaRAT, a key component of APT36’s attack kit, is distributed through phishing emails containing malicious Control Panel files stored on Google Storage. When a user opens the CPL file, it triggers the malware infection on their device, potentially granting the attacker remote access and control over the system.
Researchers at Check Point have identified three separate campaigns conducted by APT36 using different versions of ElizaRAT over the past year. The threat group initially used Slack channels for C2 infrastructure before transitioning to Google Drive for communications in the latest campaign. Each version of the ElizaRAT malware has exhibited incremental improvements in functionality and evasion capabilities, reflecting APT36’s ongoing efforts to enhance their cyber espionage operations.
The continuous evolution of APT36’s malware arsenal, including the introduction of new payloads like ApoloStealer and ConnectX, underscores the group’s commitment to data collection, exfiltration, and intelligence gathering. By utilizing advanced techniques and leveraging cloud services for C2 communication, APT36 remains a persistent and sophisticated threat to organizations in the region. Cybersecurity experts emphasize the importance of ongoing vigilance and advanced threat detection measures to mitigate the risks posed by APT36 and other advanced persistent threat groups.