APT-36, also known as Transparent Tribe and Mythic Leopard, is a Pakistan-based APT group that targets Indian government employees. Zscaler have recently gathered new intelligence about this APT group that has not been previously documented.
The cyberespionage group distributed the Kavach multi-authentication (MFA) applications through malvertising via Google advertisements. We will reveal the entire attack chain for the first time, as well as how this group misuses Google advertisements for malvertising. The group has previously impersonated Indian governmental websites to steal passwords, luring users to unwittingly enter them.
Zscaler discovered a new data exfiltration tool used by APT36, dubbed “Limepad”.
A multi-stage malicious advertising attack
It is the first time APT-36 has been witness using malvertising. The attacker impersonate the official Kavach application download portal and was frequently registered new domains. It hosted malicious attacker-registered fake websites that were pushed to the top of the search results returned by Google in India for Kavach-related keywords such as “Kavach download” and “Kavach app”.
The attacker promoted several fake Kavach websites throughout 2022 in this way. Each website was promoted for an average of one month before switching to the next one. The calendar shown in Figure 2 illustrates when the malicious actor was using Google ads to promote corresponding malicious sites.
The date range when APT-36 used Google ads was between january 2022 and june 2022 with domain name such as kavach-app[.]com or kavach-app[.]in.
This group also controls certain third party application stores, such as acmarketsapp[.]com, that provide downloads for a wide range of applications. Zscaler discovered that this site, at first glance benign and offering generic application downloads, was in fact being used by the threat actor to advertise Indian government-related applications such as Kavach and Hamraaz. Acmarketsapp pushes its own website to the top of Google search results by abusing the Google Ads paid search feature, which was described previously.
The attacker registers a new malicious website each time they want to target a new victim. The app store redirects victims to the attacker-registered domains hosting backdoored versions of Kavach application. The attacker updates the download link on the app store to point to the latest attacker-registered site.
These combined methods make it possible for APT-36 to operate third party app stores as a gateway to redirect unsuspecting users to malicious sites that host the latest backdoored variants of Indian government applications.
LimePad, APT36’s new data exfiltration tool.
Zscaler discovered a new data exfiltration tool used by this APT group. It is distributed as a Python-based application packaged inside a VHDX file. Based on the unique strings present in the first version of this stealer, they named it LimePad.
There are two new malicious binaries very similar to the SideCopy APT group, both of which come wrapped in PyInstaller payloads. Because PyInstaller payloads have been used by SideCopy APT in the past, Zscaler believe that this new binary is also created by them.
This new tool keeps a local SQLite database up-to-date with the victim’s machine, in order to constantly send any new files of interest to the attacker’s server. It maintains a queue of all the files that are uploaded, queued, or altered on the victim’s machine in order to synchronize them with the attacker’s server. This is done to ensure that any new files or modifications to local files are synchronized with the remote server.
It checks whether the keyword ‘india’ is present in the machine’s timezone configuration before performing any malicious activities. Because of this, the payload will only execute on machines configured for the India time zone. Upon verifying that the victim is located in India, the attacker downloads a decoy PDF from his server, which is displayed as a social engineering lure. Metadata related to the creation of the decoy PDF file was extracted, are pointing to APT-36.
The threat actor is interested in stealing various document file types (PDF, text, and MS Office files), email local databases in DBX format, and drawing file types such as DWG and DXF, based on the file extensions that are configured for HOME, FIXED, and REMOVABLE drives. These drawing file extensions correspond to “AutoCAD” or computer-aided design vector files, indicating a clear attempt of cyberespionage.