November 9, 2024
IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools
High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point

Nov 08, 2024Ravie LakshmananCyber Espionage / Threat Intelligence

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.

The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week.

“ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications,” the Israeli company said.

ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.

Its malware arsenal includes tools for compromising Windows, Android, and Linux devices. The increased targeting of Linux machines is motivated by the Indian government’s use of a custom Ubuntu fork called Maya OS since last year.

Infection chains are initiated by Control Panel (CPL) files likely distributed via spear-phishing techniques. As many as three distinct campaigns employing the RAT have been observed between December 2023 and August 2024, each using Slack, Google Drive, and a virtual private server (VPS) for command-and-control (C2).

While ElizaRAT enables the attackers to exert complete control over the targeted endpoint, ApoloStealer is designed to gather files matching several extensions (e.g., DOC, XLS, PPT, TXT, RTF, ZIP, RAR, JPG, and PNG) from the compromised host and exfiltrate them to a remote server.

In January 2024, the threat actor is said to have tweaked the modus operandi to include a dropper component that ensures the smooth functioning of ElizaRAT. Also observed in recent attacks is an additional stealer module codenamed ConnectX that’s engineered to search for files from external drives, such as USBs.

The abuse of legitimate services widely used in enterprise environments heightens the threat as it complicates detection efforts and allows threat actors to blend into legitimate activities on the system.

“The progression of ElizaRAT reflects APT36’s deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities,” Check Point said. “Introducing new payloads such as ApoloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment.”

IcePeony Goes After India, Mauritius, and Vietnam

The disclosure comes weeks after the nao_sec research team revealed that an advanced persistent threat (APT) group it calls IcePeony has targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam since at least 2023.

“Their attacks typically start with SQL Injection, followed by compromise via web shells and backdoors,” security researchers Rintaro Koike and Shota Nakajima said. “Ultimately, they aim to steal credentials.”

One of the most noteworthy tools in its malware portfolio is IceCache, which is designed to target Microsoft Internet Information Services (IIS) instances. An ELF binary written in the Go programming language, it’s a custom version of the reGeorg web shell with added file transmission and command execution features.

The attacks are also characterized by the use of a unique passive-mode backdoor referred to as IceEvent that comes with capabilities to upload/download files and execute commands.

“It seems that the attackers work six days a week,” the researchers noted. “While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.