Reports
Check Point Unveils Pakistan-Linked APT36's New Malware, ElizaRAT, Targeting Indian Entities

Check Point Unveils Pakistan-Linked APT36's New Malware, ElizaRAT, Targeting Indian Entities

Check Point disclosed that Transparent Tribe, a Pakistan-affiliated threat actor also known as APT36, recently targeted Indian entities with a new malware called ElizaRAT in several successful campaigns.

Since it was first detected, Check Point Research has tracked the malware, identifying increased sophistication throughout its tenure. Specifically, ElizaRAT enhanced its evasive methods and command and control capabilities.

Background and Evolution of ElizaRAT

ElizaRAT, a Windows Remote Access Tool disclosed in September 2023, is employed by Transparent Tribe in targeted attacks. Infections typically start via executable files shared through Google Storage links, likely due to phishing efforts. Earlier variants relied on Telegram for Command and Control (C2) communication. Since its initial detection, ElizaRAT has evolved in execution methods, detection evasion and C2 communication, as demonstrated in three distinct campaigns from late 2023 to early 2024. Each campaign used a different variant of ElizaRAT to deploy specific payloads for automated information gathering.

ElizaRAT's defining characteristics include using cloud services like Google, Telegram and Slack for distribution and C2 communication, often executed through CPL files. It employs tactics such as dropping decoy documents, creating shortcuts to the malware and using SQLite to store victim data locally before exfiltration.

ElizaRAT Uses Slack for C2 Communication

In the first of three campaigns, a variant of ElizaRAT called Slack API used Slack channels for its C2 Communication. Created at the end of 2023, the malware is delivered as a CPL file, making it easy to run through phishing attacks. It collects user information, logs actions, checks the local time zone and drops a fake mp4 file. The malware sends victim details to the C2 server and checks for new commands every minute. The C2 communications in the malware use Slack's API to interact with the attacker.

ApoloStealer: The New Payload

In the same campaign, Transparent Tribe deployed a new payload for specific targets, which Check Point dubbed ApoloStealer. The malware was compiled one month after the ElizaRAT Slack API variant. ApoloStealer first creates a database file and then a table to store data on each file. The malware then collects its victims' desktop files. Once all relevant files are stored, ApoloStealer sends them to the C2 server.

The Circle Campaign

In January 2024, the second variant of the ElizaRAT malware called Circle was released. This version features an enhanced dropper component, significantly lowering detection rates. The Circle campaign employs a payload like Slack API's payload, though, unlike other ElizaRAT variants such as the Slack API variant, Circle avoids using cloud services for command and control (C2) and relies on a primary virtual private server (VPS) for its C2 communications.

The dropper's primary function is to prepare for ElizaRAT's execution. It extracts a zip file containing the malware and creates a working directory that places a decoy PDF and an MP4 file. The malware, just like all ElizaRAT malware, created an LNK file for the malware despite none of the malware using the file. The description of the LNK is "Slack API", which suggests a connection to the Slack campaign.

The Google Drive Campaign

Like previous versions of ElizaRAT, the third detected campaign drops the malware files, including the decoy PDF and the main ElizaRAT variant. This variant leverages Google Cloud for its C2 communication and sends commands to download the next stage payload from different virtual private servers (VPS). Check Point Research identified two payloads used in this campaign, both of which function as info stealers, each designed for a specific purpose.

Interest in India-related Targets

All ElizaRAT variants deployed the same initial function of verifying that the system's time zone was set to India Standard Time, suggesting that the campaigns targeted Indian systems.

Leave A Comment