In a recent cybersecurity development, the Pakistan-based advanced persistent threat (APT) group called Transparent Tribe, also known as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been discovered employing a deceptive strategy to infiltrate Indian government agencies. Transparent Tribe has a history of targeting Indian government organizations, military personnel, defense contractors, and educational institutions.
The group has reportedly used a two-factor authentication (2FA) tool, which is widely used by Indian government agencies, to deliver a new Linux backdoor named Poseidon. According to a technical report published by Uptycs security researcher Tejaswini Sandapolla, Poseidon is a second-stage payload malware associated with Transparent Tribe. This general-purpose backdoor allows attackers to seize control of an infected host, providing them with extensive capabilities such as logging keystrokes, capturing screenshots, uploading and downloading files, and administering the system remotely in various ways.
Transparent Tribe has previously exploited trojanized versions of Kavach, the Indian government-mandated 2FA software, to deploy an assortment of malware like CrimsonRAT and LimePad with the intent to extract valuable information. A phishing campaign discovered in late 2022 employed weaponized attachments to download malware designed to exfiltrate database files created by the Kavach app.
The latest series of attacks involve the use of a compromised version of Kavach targeting Linux users working for Indian government agencies, which signifies the threat actor's intent to broaden its attack scope beyond Windows and Android ecosystems. Sandapolla explains that when a user interacts with the malicious version of Kavach, the authentic login page is displayed as a distraction while the payload is surreptitiously downloaded in the background, thereby compromising the user's system.
The infection's origin is traced to an ELF malware sample, which is a compiled Python executable designed to fetch the second-stage Poseidon payload from a remote server. The cybersecurity firm observed that the counterfeit Kavach apps are predominantly distributed through rogue websites masquerading as genuine Indian government sites, such as www.ksboard[.]in and www.rodra[.]in.
As social engineering remains the principal attack vector employed by Transparent Tribe, it is strongly advised that users working within the Indian government verify the URLs they receive in emails before opening them. Sandapolla warns that the consequences of this APT36 attack could be severe, potentially leading to the loss of sensitive information, compromised systems, financial losses, and reputational damage.