APT-36 Hackers Using New Hacking Tools & TTPs To Attack Indian Government Orgs

The cybersecurity analysts at Zscaler ThreatLabz have recently detected a new malicious version of a multi-factor-authentication (MFA) solution, known as Kavach, which has been exploited by the threat actors of Transparent Tribe (aka APT-36, C-Major, and Mythic Leopard) actively to target the Indian government agencies.

To distribute the malicious versions of Kavach MFA apps, the threat actors at Transparent Tribe ran multiple malvertising campaigns by exploiting Google advertisements.

It is believed that the Pakistani government is responsible for the APT-36 group. Users primarily working in government agencies in India are the target audience for this group.

Attack Targeting Indian Government Orgs

Similarly, this APT group has used rogue websites that appear to be official government portals in an attempt to harvest passwords from oblivious users.

A recent attack chain by the threat actor has not been the first incident in which Kavach has been targeted by the threat actor. 

For users of email addresses with “@gov[.]in” and “@nic[.]in” domains, the Kavach MFA app is a mandatory app that they have to use to sign in to the email service, since this app work as an extra layer of security.

In order to activate the killchain, they frequently mimic the legitimate government, military, and related institutions, and it’s one their most used tactics. The threat actor is conducting a campaign at the moment, and there is no exception to that.

Attack Chain

Threat actors mimicked the official website of the Kavach application with the help of several domains and hosted web pages that the threat actors consistently registered.

Download Screen

Under the Kavach-related keywords that are actively searched in India, the threat actors push their fake websites to the top of search results by exploiting the paid search feature of Google Ads. 

Here below we have highlighted a few top keywords that are targeted by threat actors in their campaigns:-

  • Kavach download
  • Kavach app
Search results

A typical promotion lasts for about one month for each website before the attacker bounces to the next one, and this process is repeated several times.

Various applications are available for download through certain third-party application stores controlled by this threat group.

The website operated by the threat actors acts as a gateway since it redirects users to the .NET-based fraudulent installer, and they do so by pushing their website to the top Google search results.

Security analysts have also observed the use of an undocumented data exfiltration tool, LimePad. The Kavach app’s login page is spoofed by a domain that is registered by the operators of Transparent Tribe. 

The unique feature of this web page is that it is only accessible to Indian users with Indian IP addresses. While if you are not an Indian user and visit this fake page, then it will redirect you to India’s National Informatics Centre homepage.

The credentials seized through this page are sent to a remote server and later these stolen credentials are used by the threat actors to launch further attacks.

Infected machine list

There have been additional tools added to this group’s arsenal as they continue to evolve their TTPs and tools. When downloading applications from certain places other than official stores, users should exert caution and make sure they know what they are downloading.

In addition, users should also make sure that they download applications only from sources that are reputable and authentic.

Managed DDoS Attack Protection for Applications – Download Free Guide

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

14 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

17 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

17 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

18 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

19 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

21 hours ago