Check Point Unveils Pakistan-Linked APT36's New Malware, ElizaRAT, Targeting Indian Entities
Check Point disclosed that Transparent Tribe,
a Pakistan-affiliated threat actor also known as APT36, recently targeted
Indian entities with a new malware called ElizaRAT in several successful
campaigns.
Since it was first detected, Check Point Research has tracked
the malware, identifying increased sophistication throughout its tenure.
Specifically, ElizaRAT enhanced its evasive methods and command and control
capabilities.
Background and Evolution of ElizaRAT
ElizaRAT, a Windows Remote Access Tool disclosed in September
2023, is employed by Transparent Tribe in targeted attacks. Infections
typically start via executable files shared through Google Storage links,
likely due to phishing efforts. Earlier variants relied on Telegram for Command
and Control (C2) communication. Since its initial detection, ElizaRAT has
evolved in execution methods, detection evasion and C2 communication, as
demonstrated in three distinct campaigns from late 2023 to early 2024. Each
campaign used a different variant of ElizaRAT to deploy specific payloads for
automated information gathering.
ElizaRAT's defining characteristics include
using cloud services like Google, Telegram and Slack for distribution and C2
communication, often executed through CPL files. It employs tactics such as
dropping decoy documents, creating shortcuts to the malware and using SQLite to
store victim data locally before exfiltration.
ElizaRAT Uses Slack for C2 Communication
In the first of three campaigns, a variant of ElizaRAT called
Slack API used Slack channels for its C2 Communication. Created at the end of
2023, the malware is delivered as a CPL file, making it easy to run through
phishing attacks. It collects user information, logs actions, checks the local
time zone and drops a fake mp4 file. The malware sends victim details to the C2
server and checks for new commands every minute. The C2 communications in the
malware use Slack's API to interact with the attacker.
ApoloStealer: The New Payload
In the same campaign, Transparent Tribe deployed a new
payload for specific targets, which Check Point dubbed ApoloStealer. The
malware was compiled one month after the ElizaRAT Slack API variant.
ApoloStealer first creates a database file and then a table to store data on
each file. The malware then collects its victims' desktop files. Once all
relevant files are stored, ApoloStealer sends them to the C2 server.
The Circle Campaign
In January 2024, the second variant of the ElizaRAT malware
called Circle was released. This version features an enhanced dropper
component, significantly lowering detection rates. The Circle campaign employs
a payload like Slack API's payload, though, unlike other ElizaRAT variants such
as the Slack API variant, Circle avoids using cloud services for command and
control (C2) and relies on a primary virtual private server (VPS) for its C2
communications.
The dropper's primary function is to prepare for ElizaRAT's
execution. It extracts a zip file containing the malware and creates a working
directory that places a decoy PDF and an MP4 file. The malware, just like all
ElizaRAT malware, created an LNK file for the malware despite none of the
malware using the file. The description of the LNK is "Slack API",
which suggests a connection to the Slack campaign.
The Google Drive Campaign
Like previous versions of ElizaRAT, the third detected
campaign drops the malware files, including the decoy PDF and the main ElizaRAT
variant. This variant leverages Google Cloud for its C2 communication and sends
commands to download the next stage payload from different virtual private
servers (VPS). Check Point Research identified two payloads used in this
campaign, both of which function as info stealers, each designed for a specific
purpose.
Interest in India-related Targets
All ElizaRAT variants deployed the same initial function of
verifying that the system's time zone was set to India Standard Time,
suggesting that the campaigns targeted Indian systems.
Leave A Comment