APT-36 (Transparent Tribe) targets Indian government personnel with evolving TTPs, including malvertising, credential harvesting, and a newly documented data exfiltration tool named Limepad. Zscaler ThreatLabz explains how the group abuses Google Ads and third-party stores to push backdoored Kavach MFA apps and describes Limepad’s capabilities and procedures.
Keypoints
- APT-36 is a Pakistan-based APT focusing on employees of Indian government-related organizations, active with new intelligence in 2022.
- The group uses malvertising and credential harvesting, including domains impersonating Kavach download portals and government login pages.
- New distribution methods include attacker-registered domains and WordPress-hosted pages; they also operate third-party app stores to redirect users to malicious Kavach variants.
- A completely new data exfiltration tool, Limepad, was discovered, packaged in VHDX and built around PyInstaller.
- Limepad features a local SQLite database, configurable file-sync rules, and a C2 network flow over HTTP with an Auth_Token mechanism.
- The attack chain includes Stage-1 fake Kavach installers (masquerading metadata), Stage-2 PyInstaller payloads, Stage-3 loader, and Stage-4 backdoor capabilities (including snapshots and data exfiltration).
- Credential harvesting actively targeted NIC Kavach login pages and used credential phishing with geo-targeted redirection (India-only).
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The threat actor used credential harvesting pages impersonating NIC Kavach login; ‘The phishing URL was well-crafted as it mimicked the full URL path of the legit Kavach NIC login page.’
- [T1189] Drive-by Compromise – Malvertising campaign to lure users to download backdoored Kavach MFA apps; ‘The malvertising aspect of APT-36 group has not been previously documented, so in this blog we will shed some light on how the threat actor lures Indian government users to download backdoored Kavach multi-factor authentication (MFA) applications.’
- [T1583.001] Acquire Infrastructure: Domains – The threat actor routinely registered new domains and hosted web pages impersonating as the official Kavach application download portal; ‘The threat actor routinely registered new domains and hosted web pages impersonating as the official Kavach application download portal.’
- [T1036] Masquerading – The fake Kavach installer masquerades as a legitimate Kavach installer with fake metadata; ‘The fake installer is a .NET binary which masquerades as a legit Kavach application installer and uses fake metadata information.’
- [T1027] Obfuscated/Compressed Files and Information – Stage-2 payload is a PyInstaller-compiled Python binary; ‘The Stage-2 payload is a Python script compiled to an executable using PyInstaller.’
- [T1547.001] Boot or Logon Autostart Execution – Limepad persists via a Windows Startup entry and DLL/URL shortcuts; ‘The Windows Startup directory with the name: “Limepad.dll” and it points to the local file path of the malicious payload.’
- [T1071.001] Web Protocols – C2 communications over HTTP with an Auth_Token header; ‘In each request to the server, an HTTP request header field called “Auth_Token” will be present.’
Indicators of Compromise
- [Domain] Limepad C2 domains – ncloudup[.]com, gcloudsvc[.]com
- [Domain] Credential harvesting sites – nic-updates[.]in, kavachmail-govin[.]rf[.]gd
- [Domain] Attacker-registered Kavach domains – kavach-app[.]com, kavach-app[.]in, kavachauthentication.blogspot[.]com, kavachdownload[.]in, kavachguide[.]com, get-kavach[.]in, getkavach[.]com, kavachsupport[.]com
- [IP] Post-infection IOCs – 139.59.79[.]86, 139.59.79[.]86/song.mp3
- [URL] Decoy file URLs – hxxp://139.59.23[.]88/confirmation_id.pdf, hxxps://ncloudup[.]com/trendmic/details.pdf, hxxp://wzxdao[.]com/resultupdate.jpg
- [MD5] File hashes – 123b180ed44531bfbac27c6eb0bbe01d, 3817590cf8bec4a768bb84405590272f, 0ed6451ffe34217e44355706f4900ecc