APT-36 Hackers Using New Hacking Tools & TTPs To Attack Indian Government Orgs

The cybersecurity analysts at Zscaler ThreatLabz have recently detected a new malicious version of a multi-factor-authentication (MFA) solution, known as Kavach, which has been exploited by the threat actors of Transparent Tribe (aka APT-36, C-Major, and Mythic Leopard) actively to target the Indian government agencies.

To distribute the malicious versions of Kavach MFA apps, the threat actors at Transparent Tribe ran multiple malvertising campaigns by exploiting Google advertisements.

It is believed that the Pakistani government is responsible for the APT-36 group. Users primarily working in government agencies in India are the target audience for this group.

Attack Targeting Indian Government Orgs

Similarly, this APT group has used rogue websites that appear to be official government portals in an attempt to harvest passwords from oblivious users.

A recent attack chain by the threat actor has not been the first incident in which Kavach has been targeted by the threat actor. 

For users of email addresses with “@gov[.]in” and “@nic[.]in” domains, the Kavach MFA app is a mandatory app that they have to use to sign in to the email service, since this app work as an extra layer of security.

In order to activate the killchain, they frequently mimic the legitimate government, military, and related institutions, and it’s one their most used tactics. The threat actor is conducting a campaign at the moment, and there is no exception to that.

Attack Chain

Threat actors mimicked the official website of the Kavach application with the help of several domains and hosted web pages that the threat actors consistently registered.

Download Screen

Under the Kavach-related keywords that are actively searched in India, the threat actors push their fake websites to the top of search results by exploiting the paid search feature of Google Ads. 

Here below we have highlighted a few top keywords that are targeted by threat actors in their campaigns:-

  • Kavach download
  • Kavach app
Search results

A typical promotion lasts for about one month for each website before the attacker bounces to the next one, and this process is repeated several times.

Various applications are available for download through certain third-party application stores controlled by this threat group.

The website operated by the threat actors acts as a gateway since it redirects users to the .NET-based fraudulent installer, and they do so by pushing their website to the top Google search results.

Security analysts have also observed the use of an undocumented data exfiltration tool, LimePad. The Kavach app’s login page is spoofed by a domain that is registered by the operators of Transparent Tribe. 

The unique feature of this web page is that it is only accessible to Indian users with Indian IP addresses. While if you are not an Indian user and visit this fake page, then it will redirect you to India’s National Informatics Centre homepage.

The credentials seized through this page are sent to a remote server and later these stolen credentials are used by the threat actors to launch further attacks.

Infected machine list

There have been additional tools added to this group’s arsenal as they continue to evolve their TTPs and tools. When downloading applications from certain places other than official stores, users should exert caution and make sure they know what they are downloading.

In addition, users should also make sure that they download applications only from sources that are reputable and authentic.

Managed DDoS Attack Protection for Applications – Download Free Guide

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

The Rise of AI-Generated Professional Headshots

It’s clear that a person’s reputation is increasingly influenced by their online presence, which spans…

8 hours ago

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as…

11 hours ago

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel…

11 hours ago

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used open-source…

11 hours ago

Hackers Weaponizing Microsoft Teams to Gain Remote Access

Recent cybersecurity research has uncovered a concerning trend where hackers are exploiting Microsoft Teams to…

12 hours ago

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every second,…

2 days ago