APT36 Refines Tools in Attacks on Indian Targets

Pakistan's APT36 threat group is using a new and improved version of its core ElizaRAT custom implant, in what appears to be a growing number of successful attacks on Indian government agencies, military entities, and diplomatic missions over the past year.

The latest ElizaRAT variant includes new evasion techniques, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it harder for defenders to detect the malware, researchers at Check Point Research (CPR) discovered when analyzing the group's activities recently. Heightening the threat is a new stealer payload dubbed ApoloStealer, which APT36 has begun using to collect targeted file types from compromised systems, store their metadata, and transfer the information to the attacker's C2 server.

A Step-by-Step Cyberattack Capability

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," says Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal."

Heightening the challenge is the threat group's using of legitimate software, living off the land binaries (LoLBins), and legitimate services like Telegram, Slack, and Google Drive for C2 communications. The use of these services has significantly complicated the task of tracking malware communications in network traffic, Shykevich says.

APT36, who security vendors variously track as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, is a Pakistani threat group that. since around 2013, has primarily targeted Indian government and military entities in numerous intelligence gathering operations. Like many other tightly focused threat groups, APT36s campaigns have occasionally targeted organizations in other countries, including Europe, Australia, and the US.

The threat actor's current malware portfolio includes tools for compromising Windows, Android, and increasingly, Linux devices. Earlier this year, BlackBerry reported an APT36 campaign where 65% of the group's attacks involved ELF binaries (Linkable Executable and Linkable Format) targeting Maya OS, a Unix-like operating system that India's defense ministry has developed as an alternative to Windows. And SentinelOne last year reported observing APT36 using romantic lures to spread malware called CopraRAT on Android devices belonging to Indian diplomatic and military personnel.

ElizaRAT is malware that the threat actor incorporated into its attack kit last September. The group has been distributing the malware via phishing emails containing links to malicious Control Panel files (CPL) stored on Google Storage. When a user opens the CPL file, it runs code that initiates the malware infection on their device, potentially giving the attacker remote access or control over the system.

Three Campaigns, Three Versions

Check Point researchers observed APT36 actors using at least three different versions of ElizaRAT in three separate campaigns — all targeting Indian entities — over the past year.

The first was an ElizaRAT variant that used Slack channels as C2 infrastructure. APT36 began using that variant sometime late last year and about a month later began deploying ApoloStealer with it. Starting early this year, the threat group switched to using a dropper component to stealthily drop and unpack a compressed file containing a new and improved version of ElizaRAT. The new variant, like its predecessor first checked to verify if the time zone of the machine it was on was set to Indian Standard Time before executing and further malicious activity.

The latest — third — version uses Google Drive for C2 communications. It lands on victim systems via malicious CPL files that act as a dropper for ElizaRAT. The CPL files execute a variety of tasks including creating a working directory for the malware, establishing persistence and registering the victim with the C2 server. What sets the latest version apart from the two previous ElizaRAT iteration is its continuous use of cloud services like Google Cloud for its C2 communication, Shykevich says. In addition, the latest APT36 campaign features a new USB stealer called ConnectX that the threat actor is using to examine files on USBs and other external drives that might be attached to a compromised device, he says.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR said in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!