Wednesday, December 11, 2024
HomeCyber Security NewsElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

Published on

SIEM as a Service

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated Windows RAT that, initially detected in 2023, employs advanced evasion tactics and robust C2 capabilities to target Indian government agencies, diplomatic personnel, and military installations. 

The group leverages multiple platforms, including Windows, Linux, and Android, to broaden its attack surface as the latest ElizaRAT iterations introduce new deployment methods, payloads, and infrastructure, making it a persistent and evolving threat to India’s critical infrastructure. 

ElizaRAT, a malicious software, leverages SlackAPI.dll, identified by its MD5 hash 2b1101f9078646482eb1ae497d44104, to facilitate covert communication through Slack channels. 

- Advertisement - SIEM as a Service
Circle Chain Infection

CPL files, commonly associated with Windows settings, are exploited as a delivery mechanism.

Once executed, the malware extracts sensitive information from Userinfo.dll and transmits it to a remote server, which periodically checks for new instructions, enabling remote control over the compromised system.

It leverages Slack’s API for command and control by continuously polling a specific channel (C06BM9XTVAS) using the ReceiveMsgsInList() function and retrieving messages via the conversations.history endpoint. 

By utilizing a bot token and victim ID, it provides authentication and identification, and to issue commands, ElizaRAT employs the SendMsg() function, posting messages to channel C06BWCMSF1S through the chat.postMessage endpoint. 

The malware can also upload stolen files using the SendFile() function and the files.upload endpoint.

For file downloads, DownloadFile() retrieves files from URLs provided by the attacker and saves them on the compromised system, likely utilizing HttpClient for secure communication with the download server. 

Slack API.dll communicating IP address.

The SlackAPI.dll file has been identified as malicious by multiple security vendors, which communicates with known malicious IP addresses and exhibits behaviors associated with the MITRE ATT&CK framework. 

It is potentially linked to the ElizaRAT and ApoloStealer campaigns and leverages the rundll32.exe process to execute malicious activities and persist on infected systems.

Circle ElizaRAT, a new variant of ElizaRAT malware that emerged in January 2024, utilizes a dropper component for enhanced evasion, and by targeting Indian systems, it checks the time zone and stores victim data in the %appdata%\CircleCpl folder. 

This variant leverages a VPS for C2 communication, making detection difficult, and retrieves the victim’s IP address and possibly downloads the SlackFiles.dll payload, suggesting a link between the Circle and Slack campaigns. 

HTTP stream example

The circulatedrop.dll is a malicious payload associated with the ElizaRAT malware, which leverages Google Cloud C2 to receive commands and download subsequent payloads from VPS servers. 

Scheduled tasks and rundll32.exe are used to carry out the execution of these payloads, which are disguised as legitimate files such as SpotifyAB.dll or Spotify-news.dll. 

According to Reco, the campaign utilizes multiple IP addresses, some of which are flagged as malicious by numerous security vendors and are linked to known vulnerabilities that exhibit aggressive activity, particularly on specific dates, suggesting targeted attacks.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...