The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities.
“Initial access is achieved through spear-phishing emails,” CYFIRMA said. “Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads.”
Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs).
The latest dual-platform demonstrates the adversarial collective’s continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments.
The attack chains begin with phishing emails bearing supposed meeting notices, which, in reality, are nothing but booby-trapped Linux desktop shortcut files (“Meeting_Ltr_ID1543ops.pdf.desktop”). These files masquerade as PDF documents to trick recipients into opening them, leading to the execution of a shell script.
The shell script serves as a dropper to fetch a hex-encoded file from an attacker-controlled server (“securestore[.]cv”) and save it to disk as an ELF binary, while simultaneously opening a decoy PDF hosted on Google Drive by launching Mozilla Firefox. The Go-based binary, for its part, establishes contact with a hard-coded command-and-control (C2) server, modgovindia[.]space:4000, to receive commands, fetch payloads, and exfiltrate data.
The malware also establishes persistence by means of a cron job that executes the main payload automatically after a system reboot or process termination.
Cybersecurity company CloudSEK, which also independently reported the activity, said the malware performs system reconnaissance and is equipped to carry out a series of dummy anti-debugging and anti-sandbox checks in a bid to throw off emulators and static analyzers.
Furthermore, Hunt.io’s analysis of the campaign has revealed that the attacks are designed to deploy a known Transparent Tribe backdoor called Poseidon that enables data collection, long-term access, credential harvesting, and potentially lateral movement.
“APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls,” CYFIRMA said.
The disclosure comes weeks after the Transparent Tribe actors were observed targeting Indian defense organizations and related government entities using spoofed domains with the ultimate goal of stealing credentials and two-factor authentication (2FA) codes. It’s believed that users are redirected to these URLs through spear-phishing emails.
“Upon entering a valid email ID in the initial phishing page and clicking the ‘Next’ button, the victim is redirected to a second page that prompts the user to input their email account password and the Kavach authentication code,” CYFIRMA said.
It’s worth noting that the targeting of Kavach, a 2FA solution used by the Indian government agencies to improve account security, is a tried-and-tested tactic adopted by Transparent Tribe and SideCopy since early 2022.
“The use of typo-squatted domains combined with infrastructure hosted on Pakistan-based servers is consistent with the group’s established tactics, techniques, and procedures,” the company said.
The findings also follow the discovery of a separate campaign undertaken by a South Asian APT to strike Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey through spear-phishing emails that are engineered for credential theft using lookalike pages hosted on Netlify and Pages.dev.
“These campaigns mimic official communication to trick victims into entering credentials on fake login pages,” Hunt.io said earlier this month, attributing it to a hacking group called SideWinder.
“Spoofed Zimbra and Secure Portal Pages were made to look like official government email, file-sharing, or document upload services, prompting victims to submit credentials through fake login panels.”
