Threat Research

APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

Cyfirma
APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

APT36, a Pakistan-based cyber espionage group, is conducting sophisticated phishing campaigns targeting Indian defense personnel by distributing malicious PDFs that mimic official government documents to steal credentials. The malware employs advanced anti-analysis methods, keylogging, and encrypted communication to maintain long-term access and exfiltrate sensitive data. #APT36 #TransparentTribe #IndiaDefense #PhishingCampaign #CYFIRMA

Keypoints

  • APT36 uses phishing emails with malicious PDFs designed to imitate official Indian government documents such as those from the National Informatics Centre (NIC).
  • The phishing workflow redirects victims to fake URLs that download ZIP archives containing disguised malicious executables (.pdf.exe) for credential theft.
  • The malware utilizes anti-debugging, anti-VM, process injection, and obfuscation techniques to evade detection and analysis.
  • Credential and data theft techniques include keylogging, clipboard access, and browser session hijacking targeting saved credentials and clipboard contents.
  • The campaign’s command-and-control infrastructure leverages encrypted communication over Cloudflare-hosted domains and utilizes suspicious TLDs for concealment.
  • CYFIRMA recommends enhanced email security, user awareness training, endpoint detection and response, multi-factor authentication, and continuous threat monitoring.
  • Multiple indicators of compromise such as malicious file hashes, domains, and IP addresses are provided to aid in detection and mitigation.

MITRE Techniques

  • [T1566] Phishing – Used to deliver malicious PDF attachments impersonating official documents. (‘APT36 distributes phishing emails containing an embedded PDF file named “PO-003443125.pdf”’)
  • [T1566.001] Spearphishing Attachment – The PDFs contain a button leading to a malicious URL for malware download. (‘Clicking this button redirects a user to a fraudulent URL’)
  • [T1203] Exploitation for Client Execution – The malware executable runs code upon user execution to compromise the system. (‘When executed, can compromise the target system by enabling unauthorized access’)
  • [T1059] Command and Scripting Interpreter – Malicious scripts embedded and executed in-memory for stealthy payload delivery. (‘It then loads and locks this resource… enabling fileless or in-memory execution’)
  • [T1542.003] Bootkit – Persistence through pre-OS boot malware to maintain long-term access. (‘T1542.003 Bootkit’ listed under Persistence)
  • [T1574.002] DLL Side-Loading – Malware loads unauthorized DLLs for execution. (‘LoadLibraryExW function loads a DLL into a process address space’)
  • [T1055] Process Injection – Injects code into other processes, evading detection. (‘Process Injection’ used for privilege escalation and code injection)
  • [T1014] Rootkit – Malware hides artifacts and manipulates system components to evade defenses. (‘Rootkit’ listed under Defense Evasion)
  • [T1036] Masquerading – Using deceptive file names and icons (.pdf.exe) to appear legitimate. (‘Double extension (.pdf.exe), a classic obfuscation technique’)
  • [T1056.001] Keylogging – Captures user keystrokes via API hooks. (‘GetAsyncKeyState and GetKeyState are utilized to monitor and capture keystrokes’)
  • [T1115] Clipboard Data – Accesses clipboard contents to steal sensitive data. (‘OpenClipboard, IsClipboardFormatAvailable, and GetClipboardData are used to access clipboard contents’)
  • [T1071] Application Layer Protocol – Uses network functions to communicate with command and control servers. (‘Malware utilizes socket, connect, bind, listen, send, and closesocket functions’)

Indicators of Compromise

  • [File Hashes] Malicious files used in phishing campaign – PO-003443125.pdf (MD5: 6ee3b0f4cb84e18751e7088043741e9a), PO-003443125.pdf.7z (MD5: cdb9fb87dcb44d8f3040f4fb87d89508), PO-003443125.pdf.exe (MD5: 154f4cdcd4b822314293ad566d7255fa)
  • [Domains] Command and control and phishing infrastructure – SuperPrimeServices.com, Advising-Receipts.com, FunDay24.ru, slotgacorterbaru.xyz, servisyeni.xyz, chillchad.xyz
  • [IP Addresses] Network hosts associated with malicious infrastructure – 76.223.54.146, 188.114.97.7, 13.248.169.48, 84.32.84.32, 217.114.10.11
  • [File Names] Phishing attachment and payload indicators – PO-003443125.pdf, PO-003443125.pdf.7z, PO-003443125.pdf.exe
  • [URLs] Malicious download location – hXXps://superprimeservices[.]com/nishat/order/PO-003443125.pdf.7z

Read more: https://www.cyfirma.com/research/apt36-phishing-campaign-targets-indian-defense-using-credential-stealing-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint