• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Threat Intelligence

Sophisticated Group APT36 targets India with Google Ads malvertising

Indian governmental organisations are being targeted by the advanced threat actor APT36 using new TTPs and new tools.

Ronan MouchouxbyRonan Mouchoux
November 8, 2022
in Cyber Attacks, Malware, News, Threat Intelligence
0
Indian governmental organisations are being targeted by the advanced threat actor APT36 using new TTPs and new tools.

APT-36, also known as Transparent Tribe and Mythic Leopard, is a Pakistan-based APT group that targets Indian government employees. Zscaler have recently gathered new intelligence about this APT group that has not been previously documented.

The cyberespionage group distributed the Kavach multi-authentication (MFA) applications through malvertising via Google advertisements. We will reveal the entire attack chain for the first time, as well as how this group misuses Google advertisements for malvertising. The group has previously impersonated Indian governmental websites to steal passwords, luring users to unwittingly enter them.

Zscaler discovered a new data exfiltration tool used by APT36, dubbed “Limepad”.

A multi-stage malicious advertising attack

It is the first time APT-36 has been witness using malvertising. The attacker impersonate the official Kavach application download portal  and was frequently registered new domains. It hosted malicious attacker-registered fake websites that were pushed to the top of the search results returned by Google in India for Kavach-related keywords such as “Kavach download” and “Kavach app”.

The attacker promoted several fake Kavach websites throughout 2022 in this way. Each website was promoted for an average of one month before switching to the next one. The calendar shown in Figure 2 illustrates when the malicious actor was using Google ads to promote corresponding malicious sites.

The date range when APT-36 used Google ads was between january 2022 and june 2022 with domain name such as kavach-app[.]com or kavach-app[.]in.

This group also controls certain third party application stores, such as acmarketsapp[.]com, that provide downloads for a wide range of applications. Zscaler discovered that this site, at first glance benign and offering generic application downloads, was in fact being used by the threat actor to advertise Indian government-related applications such as Kavach and Hamraaz. Acmarketsapp  pushes its own website to the top of Google search results by abusing the Google Ads paid search feature, which was described previously.

The attacker registers a new malicious website each time they want to target a new victim. The app store redirects victims to the attacker-registered domains hosting backdoored versions of Kavach application. The attacker updates the download link on the app store to point to the latest attacker-registered site.

These combined methods make it possible for APT-36 to operate third party app stores as a gateway to redirect unsuspecting users to malicious sites that host the latest backdoored variants of Indian government applications.

LimePad, APT36’s new data exfiltration tool.

Zscaler discovered a new data exfiltration tool used by this APT group. It is distributed as a Python-based application packaged inside a VHDX file. Based on the unique strings present in the first version of this stealer, they named it LimePad.

There are two new malicious binaries very similar to the SideCopy APT group, both of which come wrapped in PyInstaller payloads. Because PyInstaller payloads have been used by SideCopy APT in the past, Zscaler believe that this new binary is also created by them.

This new tool keeps a local SQLite database up-to-date with the victim’s machine, in order to constantly send any new files of interest to the attacker’s server. It maintains a queue of all the files that are uploaded, queued, or altered on the victim’s machine in order to synchronize them with the attacker’s server. This is done to ensure that any new files or modifications to local files are synchronized with the remote server.

It checks whether the keyword ‘india’ is present in the machine’s timezone configuration before performing any malicious activities. Because of this, the payload will only execute on machines configured for the India time zone. Upon verifying that the victim is located in India, the attacker downloads a decoy PDF from his server, which is displayed as a social engineering lure. Metadata related to the creation of the decoy PDF file was extracted, are pointing to APT-36.

The threat actor is interested in stealing various document file types (PDF, text, and MS Office files), email local databases in DBX format, and drawing file types such as DWG and DXF, based on the file extensions that are configured for HOME, FIXED, and REMOVABLE drives. These drawing file extensions correspond to “AutoCAD” or computer-aided design vector files, indicating a clear attempt of cyberespionage.

 

 

 

Tags: APT36CyberespionageIndiaMalvertisingTargeted attack

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Cyber War, Undefined By Military, Rationalized By Insurers

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}