Friday, December 8, 2023

APT-36 Hackers Using New Hacking Tools & TTPs To Attack Indian Government Orgs

The cybersecurity analysts at Zscaler ThreatLabz have recently detected a new malicious version of a multi-factor-authentication (MFA) solution, known as Kavach, which has been exploited by the threat actors of Transparent Tribe (aka APT-36, C-Major, and Mythic Leopard) actively to target the Indian government agencies.

To distribute the malicious versions of Kavach MFA apps, the threat actors at Transparent Tribe ran multiple malvertising campaigns by exploiting Google advertisements.

It is believed that the Pakistani government is responsible for the APT-36 group. Users primarily working in government agencies in India are the target audience for this group.

Attack Targeting Indian Government Orgs

Similarly, this APT group has used rogue websites that appear to be official government portals in an attempt to harvest passwords from oblivious users.

A recent attack chain by the threat actor has not been the first incident in which Kavach has been targeted by the threat actor. 

For users of email addresses with “@gov[.]in” and “@nic[.]in” domains, the Kavach MFA app is a mandatory app that they have to use to sign in to the email service, since this app work as an extra layer of security.

In order to activate the killchain, they frequently mimic the legitimate government, military, and related institutions, and it’s one their most used tactics. The threat actor is conducting a campaign at the moment, and there is no exception to that.

Attack Chain

Threat actors mimicked the official website of the Kavach application with the help of several domains and hosted web pages that the threat actors consistently registered.

Download Screen

Under the Kavach-related keywords that are actively searched in India, the threat actors push their fake websites to the top of search results by exploiting the paid search feature of Google Ads. 

Here below we have highlighted a few top keywords that are targeted by threat actors in their campaigns:-

  • Kavach download
  • Kavach app
Search results

A typical promotion lasts for about one month for each website before the attacker bounces to the next one, and this process is repeated several times.

Various applications are available for download through certain third-party application stores controlled by this threat group.

The website operated by the threat actors acts as a gateway since it redirects users to the .NET-based fraudulent installer, and they do so by pushing their website to the top Google search results.

Security analysts have also observed the use of an undocumented data exfiltration tool, LimePad. The Kavach app’s login page is spoofed by a domain that is registered by the operators of Transparent Tribe. 

The unique feature of this web page is that it is only accessible to Indian users with Indian IP addresses. While if you are not an Indian user and visit this fake page, then it will redirect you to India’s National Informatics Centre homepage.

The credentials seized through this page are sent to a remote server and later these stolen credentials are used by the threat actors to launch further attacks.

Infected machine list

There have been additional tools added to this group’s arsenal as they continue to evolve their TTPs and tools. When downloading applications from certain places other than official stores, users should exert caution and make sure they know what they are downloading.

In addition, users should also make sure that they download applications only from sources that are reputable and authentic.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles