“Cloudy with a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT”

hendryadrian.com

hendryadrian.com

APT36, also tracked as Transparent Tribe, has continued to focus on Indian governmental, diplomatic, and military-related targets by refining a Windows Remote Access Tool family known as ElizaRAT and augmenting it with specialized data-stealing modules. First publicly reported in 2023, ElizaRAT is written in .NET and commonly delivered via Control Panel (.CPL) droppers that are convenient for spear-phishing campaigns because they execute on double-click. Across several campaigns observed at the end of 2023 and into 2024, the actor deployed distinct variants of ElizaRAT that share core behaviors—creating a per-victim identifier file, establishing a working directory under %appdata% (often named SlackAPI or BaseFilteringEngine), dropping decoy documents or videos, and logging actions to local text files.

The malware family embeds helper assemblies using Costura and frequently relies on embedded SQLite libraries to stage and manage files before exfiltration. Many samples perform an early check for a system clock set to India Standard Time; this check indicates the operators intentionally narrowed their targeting to Indian hosts. Persistence is commonly achieved by creating scheduled tasks that execute DLL payloads via rundll32 or similar mechanisms every few minutes, ensuring the malware remains active after reboots.

One prominent cluster, labeled the Slack campaign, included a variant named SlackAPI.dll (MD5 2b1101f9078646482eb1ae497d44104c). This sample communicates with the attackers through Slack API endpoints, polling a specific channel for commands and posting messages and files back to attacker-controlled channels. SlackAPI.dll implements a command dispatcher that handles instructions such as downloading arbitrary files, taking screenshots, uploading files, enumerating directories, executing files stored in the working directory, and terminating itself. The malware registers each victim by writing a userinfo file formatted with username, machine name, and a random identifier, and then reports that string to the C2 so the operator can track active hosts.

Alongside SlackAPI.dll, operators deployed a second-stage stealer dubbed ApoloStealer (observed as SlackFiles.dll and SpotifyAB.dll). Compiled shortly after the SlackAPI variant, ApoloStealer shares many conventions with ElizaRAT: it checks for India Standard Time, uses the same working directory, includes SQLite.Interop.dll and decoy media files as resources, and registers victims with a remote PHP endpoint such as http://83.171.248[.]67/suitboot.php. ApoloStealer scans user folders—Desktop, Downloads, OneDrive and fixed drives except C:—for a wide range of office, archive, image and design file types, stores metadata and file contents in a local SQLite database, and then posts collected data to a remote oneten.php endpoint for exfiltration. The payload also creates LNK shortcuts via WshShell to execute payloads through rundll and logs its operations locally.

In another cluster labeled Circle and compiled in January 2024, ElizaRAT variants used an additional dropper component that unpacks a zip resource and drops ElizaRAT into %appdata%CircleCpl before executing it. The Circle cluster did not use public cloud services for C2; instead, it communicated with a VPS at 38.54.84[.]83. The Circle ElizaRAT registers victims in two files—applicationid.dll (a combined random ID, username and machine name) and applicationinfo.dll (detailed system info including IP and OS)—then polls a GetTask endpoint for simple commands that instruct it to download and extract zip payloads from an uploads directory on the same server. Those zip archives typically contain the SQLite DLL and a secondary stealer payload (SlackFiles.dll), showing operational overlap between the Circle and Slack clusters.

The Google Drive campaign demonstrated ElizaRAT’s abuse of Google Cloud storage for C2. In that campaign, CPL droppers created an ApplicationDataBaseFilteringEngine working directory, registered the victim, established scheduled-task persistence, and deployed BaseFilterEngine.dll (the main ElizaRAT). The main loader used an embedded X.509 certificate to create a ServiceAccountCredential for a Google Cloud Storage service account ([email protected]), listed files under a specific parent folder ID, and retrieved per-victim tmp1 files containing commands. The only supported command in these samples was Transfer, which encodes parameters to download a zip from a VPS, extract it with a provided password, schedule execution of the payload every five minutes, and report success back to the server. Observed VPS IPs for payload downloads include 84.247.135[.]235, 143.110.179[.]176, and 64.227.134[.]248.

Two primary payloads were observed in the Google Drive cluster. extensionhelper_64.dll (delivered as SpotifyAB.dll or Spotify-news.dll) is an ApoloStealer variant that builds an SQLite database of targeted files across fixed drives, excluding system folders and temporary files, and uploads contents for files not yet sent to the C2. The other payload, ConnectX (EmergencyBackup.dll / ConnectX.dll), is focused on external removable media: it uses WMI queries to detect the insertion of new disk drives and catalogs targeted file types on USBs and other external devices, archiving them into a zip stored in the ElizaRAT working directory. Unlike ApoloStealer, ConnectX was observed saving data locally rather than immediately exfiltrating it to a remote server.

Technical overlaps and operation-specific artifacts tie these campaigns to Transparent Tribe. All samples display a consistent use of the name “Apolo Jones” in artefacts—seen as PDF metadata attributing decoy documents to Apolo Jones, as zip extraction passwords (for example, ApoloJones2024), and as function names in payloads. The combination of custom tooling (ElizaRAT and its second-stage stealers), reuse of naming conventions, targeting patterns (India Standard Time checks), and overlapping infrastructure support attribution to APT36/Transparent Tribe.

The observed infection chain typically begins with a spear-phishing message that lures a victim into opening a CPL file acting as a dropper. The dropper prepares the environment, drops DLL payloads and decoys, registers the victim with a remote C2, and ensures persistence with scheduled tasks or LNK shortcuts. Communication channels vary by cluster: Slack samples use Slack API endpoints and channel polling, Google Drive variants authenticate to Google Cloud Storage to retrieve command blobs, and Circle variants rely on traditional HTTP-based VPS command servers. Across these paths, the actors use embedded SQLite databases to stage file metadata and contents, improving reliability of collection before upload.

From a defensive perspective, detections have been created to identify ElizaRAT families and their behaviors (e.g., registry of unique victim IDs, scheduled tasks invoking rundll32, creation of %appdata%SlackAPI or %appdata%BaseFilteringEngine directories, and abnormal use of cloud storage credentials or Slack API tokens). Indicators of compromise published with the analysis include multiple file hashes for droppers and payloads, filenames such as SlackAPI.dll, BaseFilteringEngine.dll, SlackFiles.dll and SpotifyAB.dll, and C2 IP addresses like 84.247.135[.]235 and 83.171.248[.]67.

In summary, ElizaRAT’s evolution reflects APT36’s shift to a modular, cloud-enabled toolkit that blends data collection, staged local storage, and flexible C2 channels. The integration of ApoloStealer and ConnectX expands the group’s capability to harvest both local and removable-drive data, while CPL-based droppers, scheduled tasks, and timezone gating demonstrate careful operational tradecraft to evade detection and limit collateral impact. Organizations that match the observed targeting profile should monitor for the described artefacts, hunt for anomalous scheduled tasks and rundll32 executions, and scrutinize inbound files with CPL extensions and associated decoys.

Read more: https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/