Threat Research

Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government

Seqrite
Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government
EXTRACT IOC
An APT group from Pakistan, known as Transparent Tribe (APT36), has been exploiting the “Pahalgam Terror Attack” to deceive Indian government officials through phishing campaigns. The attackers use mixed tactics of credential phishing and deploying malicious payloads via deceptively crafted documents. Fake domains impersonating legitimate Indian police and military websites were created to trap targets. Affected: Indian Government, Indian Defense, Cybersecurity

Keypoints :

  • Transparent Tribe (APT36) targets Indian government personnel using “Pahalgam Terror Attack” themed documents.
  • The campaign involves phishing and deploying malicious payloads through fake domains.
  • Phishing documents are disguised as updates and reports related to the terror attack.
  • Malicious documents contain embedded links that deceitfully redirect to a fake login page.
  • A PowerPoint file (PPAM) with malicious macros has been identified, which extracts embedded payloads.
  • The Crimson RAT malware is delivered and can execute multiple commands for espionage.
  • Phishing infrastructure was created shortly after the attack, showing rapid exploitation of current events.
  • Recommendations include email screening, restricting macro execution, and user awareness training.

MITRE Techniques :

  • Phishing for Information: Spearphishing Link (T1598.003) – Used to collect information from targets via deceptive links.
  • Acquire Infrastructure: Domains (T1583.001) – Creation of fraudulent domains to impersonate legitimate infrastructure.
  • Phishing: Spearphishing Attachment (T1566.001) – Utilized malicious document attachments to deliver payloads.
  • User Execution: Malicious Link (T1204.001) – Executed when the target clicks on the malicious link in the phishing document.
  • Command and Scripting Interpreter: Visual Basic (T1059.005) – Malicious macros implemented for payload execution.
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) – Used to maintain persistence on infected systems.
  • System Owner/User Discovery (T1033) – Identified and targeted individuals based on system ownership.
  • Data from Local System (T1005) – Collected sensitive data from the infected system.
  • Exfiltration Over C2 Channel (T1041) – Transmitted gathered information back to the command and control server.

Indicator of Compromise :

  • [Hash] c4fb60217e3d43eac92074c45228506a
  • [Hash] 172fff2634545cf59d59c179d139e0aa
  • [Hash] 7b08580a4f6995f645a5bf8addbefa68
  • [URL] hxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home/
  • [Domain] jkpolice[.]gov[.]in[.]kashmirattack[.]exposed

Full Story: https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/

Views: 124

Tags: PERSISTENCE, MONITOR, EXFILTRATION, INITIAL ACCESS, PAYLOAD, COLLECTION, GOVERNMENT, DISCOVERY