Pakistan APT Hackers Weaponize malicious IndiaPost Site to Target Windows and Android Users

A Pakistan-based Advanced Persistent Threat (APT) group, likely APT36, has launched a multi-platform cyberattack campaign targeting Indian users through a fraudulent website impersonating the Indian Post Office.

The attack, discovered by CYFIRMA researchers, exploits both Windows and Android vulnerabilities, demonstrating a significant evolution in the group’s tactics.

Sophisticated Attack Leverages Youth Laptop Scheme

The malicious website, identified as “Postindia[.]site,” serves as the primary vector for this attack. When accessed from a desktop computer, the site delivers a PDF file containing “ClickFix” instructions.

According to Cyfirma, these instructions prompt users to execute a potentially harmful PowerShell command, which could compromise the system.

Mobile users, on the other hand, are directed to download an APK file named “indiapost[.]apk,” which requests extensive permissions and exfiltrates data through a fake Google Analytics domain.

Technical Analysis Reveals APT36 Involvement

Analysis of the dropped Android executable revealed sophisticated tactics employed by the threat actors.

The APK requests numerous permissions, including access to contacts, location data, and file storage.

It also implements measures to force users to accept permissions if initially denied.

The application’s persistence mechanisms include the use of a “BootReceiver” function and requests to ignore battery optimization, allowing it to run continuously in the background.

Examination of the PDF file’s EXIF data provided crucial evidence linking the attack to Pakistan.

The creation date was set to October 2024 with a time zone of +5:00, corresponding to Pakistan’s standard time zone.

Moreover, the author field contained “PMYLS,” an acronym for the Pakistani Prime Minister’s Youth Laptop Scheme.

This information, combined with the domain registration date of November 2024, strongly suggests the involvement of a Pakistan-based threat actor.

Further investigation of the IP address (88[.]222[.]245[.]211) embedded in the PowerShell command revealed a fake domain (email[.]gov[.]in[.]gov-in[.]mywire[.]org) impersonating an Indian government email service.

This tactic aligns with known behaviors of APT36, also known as Transparent Tribe, a group that has been active since at least 2013 and primarily focuses on cyber espionage against Indian entities.

The attack’s sophistication is evident in its multi-platform approach, targeting both Windows and Android users.

This represents a significant advancement in APT36’s capabilities and highlights the evolving nature of cyber threats in the region.

As tensions between India and Pakistan continue, it is likely that such cyber operations will become increasingly common and complex.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.