Friday, May 24, 2024

APT-36 Hackers Using New Hacking Tools & TTPs To Attack Indian Government Orgs

The cybersecurity analysts at Zscaler ThreatLabz have recently detected a new malicious version of a multi-factor-authentication (MFA) solution, known as Kavach, which has been exploited by the threat actors of Transparent Tribe (aka APT-36, C-Major, and Mythic Leopard) actively to target the Indian government agencies.

To distribute the malicious versions of Kavach MFA apps, the threat actors at Transparent Tribe ran multiple malvertising campaigns by exploiting Google advertisements.

It is believed that the Pakistani government is responsible for the APT-36 group. Users primarily working in government agencies in India are the target audience for this group.

Attack Targeting Indian Government Orgs

Similarly, this APT group has used rogue websites that appear to be official government portals in an attempt to harvest passwords from oblivious users.

A recent attack chain by the threat actor has not been the first incident in which Kavach has been targeted by the threat actor. 

For users of email addresses with “@gov[.]in” and “@nic[.]in” domains, the Kavach MFA app is a mandatory app that they have to use to sign in to the email service, since this app work as an extra layer of security.

In order to activate the killchain, they frequently mimic the legitimate government, military, and related institutions, and it’s one their most used tactics. The threat actor is conducting a campaign at the moment, and there is no exception to that.

Attack Chain

Threat actors mimicked the official website of the Kavach application with the help of several domains and hosted web pages that the threat actors consistently registered.

Download Screen

Under the Kavach-related keywords that are actively searched in India, the threat actors push their fake websites to the top of search results by exploiting the paid search feature of Google Ads. 

Here below we have highlighted a few top keywords that are targeted by threat actors in their campaigns:-

  • Kavach download
  • Kavach app
Search results

A typical promotion lasts for about one month for each website before the attacker bounces to the next one, and this process is repeated several times.

Various applications are available for download through certain third-party application stores controlled by this threat group.

The website operated by the threat actors acts as a gateway since it redirects users to the .NET-based fraudulent installer, and they do so by pushing their website to the top Google search results.

Security analysts have also observed the use of an undocumented data exfiltration tool, LimePad. The Kavach app’s login page is spoofed by a domain that is registered by the operators of Transparent Tribe. 

The unique feature of this web page is that it is only accessible to Indian users with Indian IP addresses. While if you are not an Indian user and visit this fake page, then it will redirect you to India’s National Informatics Centre homepage.

The credentials seized through this page are sent to a remote server and later these stolen credentials are used by the threat actors to launch further attacks.

Infected machine list

There have been additional tools added to this group’s arsenal as they continue to evolve their TTPs and tools. When downloading applications from certain places other than official stores, users should exert caution and make sure they know what they are downloading.

In addition, users should also make sure that they download applications only from sources that are reputable and authentic.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles