In recent news, a sophisticated threat actor known as APT36 has been actively targeting Indian entities using advanced malware like ElizaRAT, specifically designed for espionage purposes. These cybercriminals have been leveraging cloud-based services for covert communication and data exfiltration, making their attacks harder to detect and trace.
One of the key developments in APT36’s recent campaigns is the enhancement of ElizaRAT’s evasion techniques, making it even more potent for carrying out persistent attacks. Additionally, the integration of ApoloStealer into their attack toolkit has further expanded the group’s capabilities, allowing them to steal sensitive information from compromised systems with ease.
Transparent Tribe, the suspected actor behind these attacks, has been employing a two-pronged strategy with ElizaRAT and ApoloStealer to target Indian systems. By disguising themselves as CPL files, they have been able to infiltrate systems, leverage Slack’s API for communication, steal information, and execute commands without raising suspicion.
ApoloStealer, a tool deployed by Transparent Tribe, focuses on data exfiltration by creating a local database of files, including documents, presentations, and images, which are then transmitted to the attacker’s server. This sophisticated technique allows the cybercriminals to gather specific information while remaining undetected.
The Circle ElizaRAT variant, a more advanced version of the malware, uses a dropper to deploy the malicious code with lower detection rates. This dropper creates decoy files and registers victim information within DLLs in a dedicated directory. Circle also utilizes a VPS for C2 communication, checks for India Standard Time, retrieves victim details, and can execute commands given by the attacker.
The Google Drive campaign, another tactic employed by APT36, delivers ElizaRAT malware via spear phishing emails with malicious CPL file attachments. This method leverages Google Cloud for communication, uses X.509 certificates for authentication, and downloads additional payloads like ApoloStealer and ConnectX to steal specific file types and store them on Google Cloud storage service.
Overall, Check Point Research has identified Transparent Tribe’s involvement in these attacks through their custom tool, ElizaRAT, and other indicators like shared email accounts and the use of the pseudonym “Apolo Jones.” These cybercriminals have been utilizing sophisticated tactics, such as distributing malicious files and leveraging social engineering techniques, to target specific individuals and gather intelligence.
The evolving tactics of APT36, including the introduction of new payloads like ApolloStealer, demonstrate their relentless focus on data exfiltration and intelligence gathering against Indian entities. This highlights the importance of robust cybersecurity measures and the need for organizations to stay vigilant against such sophisticated cyber threats.