APT36 Impersonates MFA Software to Infect the Indian Government

Category: Threat Actor Activity | Industry: Government | Level: Tactical | Source: Zscaler

Zscaler ThreatLabz released new intelligence for APT36 (aka Transparent Tribe) targeting the Indian government for credential and data theft operations. Throughout 2022, the group has launched various credential-harvesting email and malvertising campaigns. They frequently impersonate government and military organizations to lure victims. From their latest activity, APT36 "abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications." Several domains are registered by the group to mimic the official Kavach application download portal, which can only be accessed from an Indian IP address otherwise the site directs to India's National Informatics Centre (NIC) website. APT36's impersonation sites, are typically up for a month before a new one is spun up. When a download is initiated a python downloader delivers a backdoor and a new data exfiltration tool to the compromised host. "The main purpose of this new tool is to constantly upload any new file of interest from the victim's machine to the attacker's server. It synchronizes this file stealing operation between the victim's machine and the attacker's server by maintaining a local custom SQLite database." To ensure their malware infects a targeted group of users, a system time check ensures their malicious binaries only execute if the system is running in India's time zone. For persistence, a shortcut (LNK) file is created in the Windows Startup directory. APT36's campaigns are often conducted for espionage, and any data and credentials compromised could be used to infect other targeted entities.

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Python Execution
• Potential PHP Webshell

‍