A new campaign from the hacking group tracked as APT36, aka ‘Transparent Tribe’ or’ Mythic Leopard,’ has been discovered using new custom malware and entry vectors in attacks against the Indian government.
The particular threat actor has been active since at least 2016, based in Pakistan, and its targets have historically been almost exclusively Indian defense and government entities.
The group’s goal is to collect intelligence through cyber-espionage, so all in all, APT36 is considered to be a Pakistan-aligned and state-sponsored threat actor.
Researchers at Cisco Talos have published a report today detailing their recent findings on the activity of APT36 and underline some interesting new shifts in the threat actor’s tactics.
New infection vector
The most interesting aspect of the new campaign is the use of laced Kavach authentication apps targeting employees of the Indian government.
Kavach Authentication is an OTP application authored by the Indian National Informatics Center for secure multi-factor authentication on critical IT systems.
The app is used extensively by military personnel or employees of the Indian government that need to access IT resources like email services or databases.
The distribution of the fake Kavach installers is done via counterfeit websites that are clones of legitimate sites of Indian governments, like that of the Defense Service Officers’ Institute.
The victims receive a copy of a legitimate Kavach installer and also a malicious payload that automatically initiates the infection process with the threat actor’s malware of choice.
Both cloned websites and the use of malware masquerading as legitimate and known apps are common and previously observed tactics of APT36.
New custom malware
The threat actor is still using CrimsonRAT, first spotted in 2020 campaigns, but the malware has evolved to offer more capabilities to its operators.
CrimsonRAT is the primary spearhead tool of APT36, able to steal credentials from the browser, list running processes, retrieve additional payloads from the C2, and capture screenshots.
In its 2022 version, CrimsonRAT also employs a keylogger, supports the execution of arbitrary commands on the compromised system, can read the contents of files, delete files, and more.
Another tool used in the recent campaigns is a lightweight .NET remote access trojan that is more basic compared to CrimsonRAT but still offers powerful functions such as:
List all running processes on the endpoint.
Download and execute a file from the C2.
Download and execute a file specified by the C2 from another remote location.
Close connection with the C2 until the next run.
Gather system information from the endpoint such as Computer Name, username, public and local IPs, Operating system name, list of runnings AVs, device type (desktop or laptop).
APT36 likely uses that second implant for redundancy, while it may be just the early development version of a new custom RAT that will be improved with more features in the future.
In 2021, APT36 also used ObliqueRAT in very narrow targeting attacks against government personnel, while the infection vector then was emails with VBS-laced documents.
‘Transparent Tribe’ is still evolving and remains highly active, improving its implants and regularly refreshing its infection vectors to stay elusive and undetectable.