The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe has targeted Indian government organizations, military personnel, defense contractors, and educational entities by using the Indian government-mandated two-factor authentication (2FA) software Kavach as a ruse to deploy a new Linux backdoor called Poseidon.
Poseidon is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host, including logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways.
Users working within the Indian government are advised to double-check URLs received in emails before opening them as the fake Kavach apps are primarily distributed through rogue websites disguised as legitimate Indian government sites.
When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them, and the payload is downloaded in the background, compromising the user’s system.
The starting point of the infections is an ELF malware sample, a compiled Python executable that is engineered to retrieve the second-stage Poseidon payload from a remote server.
Cybersecurity firm Uptycs has tracked Transparent Tribe as APT36, Operation C-Major, PROJECTM, and Mythic Leopard. They have a history of targeting Indian government organizations and have repeatedly leveraged trojanized versions of Kavach to deploy malware, such as CrimsonRAT and LimePad, to harvest valuable information.
The attacks indicate attempts made by the threat actor to expand its attack spectrum beyond Windows and Android ecosystems, specifically targeting Linux users working for Indian government agencies. The repercussions of this APT36 attack could be significant, leading to the loss of sensitive information, compromised systems, financial losses, and reputational damage.
The use of social engineering as the primary attack vector by Transparent Tribe highlights the importance of users being cautious when receiving emails and double-checking URLs before opening them to avoid falling prey to cyber attacks.
