Checkpoint Research has reported that a Pakistan-linked hacking group, known as Transparent Tribe or APT36, is actively targeting Indian entities using an advanced malware known as ElizaRAT. The malware first came into the picture in September 2023 and since then the ElizaRAT has been upgraded with more sophisticated techniques and improved command and control functions.
The report highlights three separate campaigns that have been in action between late 2023 and early 2024, each featuring different versions of ElizaRAT to extract data from the target systems. The major highlight though is that all the versions of the ElizaRAT malware are set to Indian Time Standard (IST) which indicates that it is an India-centric malware.
What is ElizaRAT malware?
According to the report, the ElizaRAT is a new Windows Remote Access program and it uses popular cloud services like Google Drive, Slack and Telegram to target the entities. The report also mentions that the threat group uses popular platforms to conceal its activities within everyday network traffic, especially Indian-associated entities.
Check Point’s report highlights that ElizaRAT operates by dropping decoy documents and shortcuts to hide its true purpose. It also uses SQLite to store local victim data prior to exfiltration, which is later sent through secure channels. A unique component of ElizaRAT is its ability to deploy additional payloads for specific targets, such as a new malware known as ApoloStealer, designed to collect desktop files and harvest sensitive information from infected systems.
How its affecting the systems?
The malware has gone through an evolution since its inception in September 2023. As per the report, Transparent Tribe introduced the second variant of ElizaRAT called ‘Circle’. The updated version of the malware comes with an upgraded dropper component that reduces its chances of getting detected by antivirus and anti-malware programs.
The new variant creates a zip file on the targetted system and implants a PDF or MP4 files along with the shortcut file linked to SlackAPI. This development signifies Transparent Tribe’s increasing efforts to refine malware delivery and evade detection.
The third way the target groups target the entities is by using Google Cloud as a C2 channel to direct malware activities. This employs Virtual Private Servers (VPS) to distribute the payloads. The strategic use of popular cloud services allows Transparent Tribe to continue its attacks undetected by bypassing conventional network security measures.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
