EXECUTIVE SUMMARY
APT36, also known as Transparent Tribe, is a Pakistan-based threat group widely recognized for targeting Indian government, military, and diplomatic sectors. Known for its long-standing cyber-espionage campaigns, APT36 has honed its capabilities to compromise Windows, Linux, and Android systems through advanced malware. In recent attacks, the group leveraged ElizaRAT, a Remote Access Tool (RAT) that has undergone significant upgrades since its discovery in 2023. ElizaRAT has become increasingly difficult to detect, using various cloud-based services for command and control (C2) channels and employing sophisticated obfuscation techniques. These strategies enable the malware to exfiltrate sensitive data while evading detection, adding to APT36’s ability to conduct stealthy, long-lasting espionage operations.
ElizaRAT’s evolution is apparent in recent campaigns, where each variant displays new methods to bypass security measures and communicate with the C2 infrastructure. Initially observed using Telegram channels, ElizaRAT has since adapted to include Slack and Google Drive for data exchange. Different versions of the RAT, including SlackAPI.dll and the newer ApoloStealer, exploit cloud services, embedded .NET modules, and Control Panel (.CPL) files to deliver second-stage payloads and gather intelligence from infected systems. The malware uses SQLite to store exfiltrated files locally and features functions like capturing screenshots, uploading files, and executing specific commands. Campaigns indicate deliberate targeting of Indian users, as variants frequently check for the India Standard Time zone, ensuring that only specific geographies are affected.
The continuous adaptation of ElizaRAT by APT36 underscores the group’s persistent intent to spy on critical Indian sectors. ElizaRAT’s enhancements, particularly through the Circle and Google Drive campaigns, reveal a strategic move toward using varied cloud platforms to sustain communication with the C2 and reduce dependency on traditional servers. Additionally, the deployment of complementary tools, such as ApoloStealer, expands APT36’s toolkit for siphoning sensitive files across multiple devices. These developments highlight the importance of monitoring emerging C2 techniques and implementing robust detection measures to safeguard against evolving malware like ElizaRAT, as APT36 shows no signs of slowing its pursuit of Indian intelligence.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| T1053 | Scheduled Task/Job | |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1552 | Unsecured Credentials |
| Collection | T1113 | Screen Capture |
| Command and Control | T1102 | Web Service |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/