ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated Windows RAT that, initially detected in 2023, employs advanced evasion tactics and robust C2 capabilities to target Indian government agencies, diplomatic personnel, and military installations. 

The group leverages multiple platforms, including Windows, Linux, and Android, to broaden its attack surface as the latest ElizaRAT iterations introduce new deployment methods, payloads, and infrastructure, making it a persistent and evolving threat to India’s critical infrastructure. 

ElizaRAT, a malicious software, leverages SlackAPI.dll, identified by its MD5 hash 2b1101f9078646482eb1ae497d44104, to facilitate covert communication through Slack channels. 

CPL files, commonly associated with Windows settings, are exploited as a delivery mechanism.

Once executed, the malware extracts sensitive information from Userinfo.dll and transmits it to a remote server, which periodically checks for new instructions, enabling remote control over the compromised system.

It leverages Slack’s API for command and control by continuously polling a specific channel (C06BM9XTVAS) using the ReceiveMsgsInList() function and retrieving messages via the conversations.history endpoint. 

By utilizing a bot token and victim ID, it provides authentication and identification, and to issue commands, ElizaRAT employs the SendMsg() function, posting messages to channel C06BWCMSF1S through the chat.postMessage endpoint. 

The malware can also upload stolen files using the SendFile() function and the files.upload endpoint.

For file downloads, DownloadFile() retrieves files from URLs provided by the attacker and saves them on the compromised system, likely utilizing HttpClient for secure communication with the download server. 

The SlackAPI.dll file has been identified as malicious by multiple security vendors, which communicates with known malicious IP addresses and exhibits behaviors associated with the MITRE ATT&CK framework. 

It is potentially linked to the ElizaRAT and ApoloStealer campaigns and leverages the rundll32.exe process to execute malicious activities and persist on infected systems.

Circle ElizaRAT, a new variant of ElizaRAT malware that emerged in January 2024, utilizes a dropper component for enhanced evasion, and by targeting Indian systems, it checks the time zone and stores victim data in the %appdata%\CircleCpl folder. 

This variant leverages a VPS for C2 communication, making detection difficult, and retrieves the victim’s IP address and possibly downloads the SlackFiles.dll payload, suggesting a link between the Circle and Slack campaigns. 

The circulatedrop.dll is a malicious payload associated with the ElizaRAT malware, which leverages Google Cloud C2 to receive commands and download subsequent payloads from VPS servers. 

Scheduled tasks and rundll32.exe are used to carry out the execution of these payloads, which are disguised as legitimate files such as SpotifyAB.dll or Spotify-news.dll. 

According to Reco, the campaign utilizes multiple IP addresses, some of which are flagged as malicious by numerous security vendors and are linked to known vulnerabilities that exhibit aggressive activity, particularly on specific dates, suggesting targeted attacks.