APT36, also known as Transparent Tribe, is a sophisticated advanced persistent threat (APT) group believed to be based in Pakistan. Over the past years, APT36 has been actively engaged in cyber-espionage campaigns primarily targeting Indian government organizations, military entities, and diplomatic missions. Their operations reflect a strategic focus on intelligence gathering, posing significant threats to national security and geopolitical stability in the South Asian region.

Central to APT36's arsenal is the ElizaRAT malware, a Windows Remote Access Tool (RAT) that has undergone several iterations and enhancements. Recent analyses reveal that ElizaRAT has incorporated advanced evasion techniques and improved command-and-control (C2) functionalities, including the use of popular cloud services like Google Drive, Telegram, and Slack for C2 communications. This approach allows the group to blend malicious activities with legitimate network traffic, complicating detection efforts.

Additionally, APT36 has integrated a new stealer payload, ApoloStealer, designed to exfiltrate specific file types from infected systems. This modular approach to malware deployment allows APT36 to tailor its operations to specific targets and objectives, emphasizing its strategic focus on data theft and espionage.

Cybersecurity firms such as Check Point Research have extensively documented APT36's continuous refinement of its operations, including their use of spear-phishing campaigns utilizing Control Panel files (CPL) as the initial infection vector. These developments underscore the necessity for cybersecurity professionals to develop robust detection and mitigation strategies to protect potential targets.

Findings

1. Persistent Targeting of Indian Entities: APT36 has consistently targeted Indian government organizations, military entities, and diplomatic missions, reflecting their geopolitical motivations and the strategic importance of these targets.

2. Evolution of ElizaRAT with Enhanced Capabilities: The latest versions of ElizaRAT include new evasion techniques and enhanced C2 capabilities, making it more challenging for defenders to detect and mitigate. This evolution signifies a strategic enhancement in APT36's malware arsenal, focusing on stealth and persistence.

3. Distribution via Spear-Phishing and Cloud Services: APT36 primarily distributes ElizaRAT through spear-phishing emails containing malicious CPL files hosted on cloud services like Google Storage. This method leverages cloud services for distribution and C2 communications, complicating detection efforts and highlighting the need for robust email security measures.

4. Integration of ApoloStealer: The introduction of ApoloStealer as part of ElizaRAT's payload allows APT36 to collect and exfiltrate specific file types, emphasizing the malware's role in data theft and espionage.

5. Use of Legitimate Software and Services for C2: APT36 employs legitimate software and services, such as Telegram, Slack, and Google Drive, for C2 communications. This tactic, known as "living off the land," complicates network traffic analysis and requires advanced threat detection capabilities.

6. Modular Malware Approach and Continuous Evolution: APT36's use of modular malware allows for flexibility and adaptability in targeting and operations. Their operations have shown a continuous evolution in tactics and tools, reflecting their commitment to maintaining operational effectiveness and evading detection.

Assessment Rating

Rating: HIGH

The assessment rating for APT36 is high due to the group's persistent targeting of critical sectors such as government, military, and diplomatic entities. The potential impact of their operations on national security and geopolitical stability underscores the significant threat posed by this actor.

Origin and Attribution

APT36 is believed to be based in Pakistan, with operations primarily targeting Indian entities. The group is also known by several aliases, including Transparent Tribe, Earth Karkaddan, Mythic Leopard, Operation C-Major, and TEMP.Lapis, as attributed by various cybersecurity firms.

Countries Targeted

1. India: APT36's primary target, focusing on government, military, and diplomatic sectors.
2. Other South Asian Countries: Potential expansion to neighboring countries for broader intelligence gathering.

Sectors Targeted

1. Government: To gather intelligence and sensitive information.
2. Military: For strategic and defense-related data.
3. Diplomatic: For geopolitical intelligence and communications.

Motivation

APT36's primary motivation is intelligence gathering and espionage, focusing on collecting sensitive information to support strategic and geopolitical objectives.

Attack Types

• Spear-Phishing Campaigns: Distributing malicious CPL files via targeted emails.
• Use of Remote Access Tools: Deploying ElizaRAT for remote system control.
• Data-Stealing Payloads: Utilizing ApoloStealer to exfiltrate files.

Known Aliases

1. Transparent Tribe
   • Source: Check Point Research
   • URL: Check Point Research
2. Earth Karkaddan
   • Source: Trend Micro
   • URL: Trend Micro
3. Mythic Leopard
   • Source: CrowdStrike
   • URL: CrowdStrike

Links to Other APT Groups

1. SideWinder APT
   • Description: An APT group with suspected ties to India, known for targeting high-profile entities in the Middle East and Africa.
   • Origin and Attribution: Suspected Indian ties, targeting similar sectors.
   • All known aliases: None specified.
   • Relationship to Threat Actor: Potential regional adversary with overlapping interests.
   • Recent and valid URL

Similar Threat Actor Groups

1. APT29 (Cozy Bear)
   • Description: Known for sophisticated cyber-espionage operations.
   • Origin: Russia
   • Relation: Similar targeting and advanced malware use.
   • Source: MITRE
   • URL: MITRE
2. APT28 (Fancy Bear)
   • Description: Targets government and military sectors.
   • Origin: Russia
   • Relation: Focus on intelligence gathering with advanced tactics.
   • Source: MITRE
   • URL: MITRE

Breaches and Case Studies

1. APT36 Campaigns Targeting Indian Entities - 2024
   • Description: Multiple campaigns using ElizaRAT, targeting government and military entities via spear-phishing and cloud-based C2.
   • Actionable Takeaways: Implement advanced email filtering, monitor for unusual C2 communications, and educate employees on phishing threats.
   • References: Dark Reading, Check Point Research
2. ApoloStealer Deployment - 2024
   • Description: Introduction of a payload designed to exfiltrate files, emphasizing data theft focus.
   • Actionable Takeaways: Enhance data exfiltration monitoring and strengthen endpoint security.
   • References: Infosecurity Magazine

Forecast

Short-Term Forecast (3-6 months)

1. Increased Phishing Campaigns Using ElizaRAT and Enhanced Techniques
   • Expectations: Intensified phishing campaigns leveraging cloud services for C2, with sophisticated social engineering.
   • References: Dark Reading, Infosecurity Magazine
2. Broader Deployment of ApoloStealer
   • Expectations: Expanded data exfiltration efforts targeting specific file types, increasing sensitive data breach risks.
   • References: Check Point Research, Times of India

Long-Term Forecast (12-24 months)

1. Advancement of ElizaRAT's Capabilities
   • Expectations: Incorporation of more advanced evasion techniques and functionalities, challenging traditional security measures.
   • References: Check Point Research, Times Now
2. Expansion Beyond Indian Targets
   • Expectations: Potential targeting of other South Asian countries due to evolving geopolitical interests.
   • References: Moneycontrol

Follow-up Research

1. Technical Details and IoCs of Latest ElizaRAT Variants
2. Enhancing Detection Against Evasion Techniques
3. Geopolitical Implications of APT36's Campaigns
4. Mitigating Misuse of Cloud Platforms for Malicious Activities

Recommendations, Actions, and Next Steps

1. Enhance Email Security and Phishing Awareness
   • Implement advanced email filtering to detect phishing attempts involving CPL files.
   • Conduct regular training for employees on recognizing and reporting phishing emails.
2. Strengthen Network Monitoring and Threat Detection
   • Deploy tools to identify unusual C2 communications, especially via cloud services.
   • Implement advanced threat detection for cloud-based C2 activities.
3. Implement Endpoint Detection and Response (EDR)
   • Use EDR solutions to monitor and respond to suspicious endpoint activities.
   • Detect execution of CPL files and other ElizaRAT indicators.
4. Collaborate with Cloud Service Providers
   • Develop strategies with providers to detect and mitigate platform misuse.
   • Enhance threat intelligence sharing for improved security.
5. Conduct Regular Security Audits and Stay Informed
   • Perform audits to identify vulnerabilities exploitable by APT36.
   • Subscribe to threat intelligence feeds and participate in cybersecurity communities.

APPENDIX

References and Citations

1. Dark Reading
   • APT36 Refines Tools in Attacks on Indian Targets
2. Check Point Research
   • The Evolution of Transparent Tribe's New Malware
3. Infosecurity Magazine
   • Pakistan Hackers Target High-Profile Indian Entities
4. Times of India
   • How Pakistani Hackers Are Using ElizaRAT Virus to Target India
5. Moneycontrol
   • Pakistan-Linked Hackers Using Google Drive, Telegram, and Slack

Mitre ATT&CK TTPs

1. T1566 - Phishing
   • MITRE ATT&CK
2. T1071 - Application Layer Protocol
   • MITRE ATT&CK
3. T1041 - Exfiltration Over C2 Channel
   • MITRE ATT&CK
4. T1218 - Signed Binary Proxy Execution
   • MITRE ATT&CK
5. T1102 - Web Service
   • MITRE ATT&CK
6. T1059.001 - Command and Scripting Interpreter: PowerShell
   • MITRE ATT&CK
7. T1105 - Ingress Tool Transfer
   • MITRE ATT&CK
8. T1078 - Valid Accounts
   • MITRE ATT&CK

Mitre ATT&CK Mitigations

1. M1017 - User Training
   • MITRE ATT&CK
2. M1031 - Network Intrusion Prevention
   • MITRE ATT&CK
3. M1048 - Application Isolation and Sandboxing
   • MITRE ATT&CK
4. M1021 - Data Loss Prevention
   • MITRE ATT&CK
5. M1030 - Network Segmentation
   • MITRE ATT&CK
6. M1026 - Privileged Account Management
   • MITRE ATT&CK
7. M1056 - Pre-compromise Security Training
   • MITRE ATT&CK
8. M1049 - Antivirus/Antimalware
   • MITRE ATT&CK

AlphaHunt

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst. We just did the grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0