The Pakistan-based advanced persistent threat (APT) actor mainly famous as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called “Poseidon”
The Poseidon malware is a kind of malware that enables operators to access a bunch of functionalities including keylogging, access to files, screen recording, and remote administrative control.
Moreover, it’s a second-stage payload Malware that was actually delivered utilizing the fake version of the Kavach two-factor app. Which is specifically used by Indian government agencies to provide safe and secure access to email services.
Tejaswini Sandapolla, Uptycs security stated in a technical report that “Poseidon is a second-stage payload malware associated with Transparent Tribe”.
In addition, he also stated that “in a general-purpose backdoor that enables attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways”.
Moreover, due to the high risk of malware attacks, Transparent Tribe is also tracked as APT 36, Operation C-major, Mythic Leopard, and PROJECTM.
It possesses a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.
Additionally, it has frequently used Romanized versions of Kavach, the 2FA software that the Indian government requires, to spread a variety of malware like Crimson RAT and LimePad to gather important data.
Last year, another phishing campaign took advantage of getting a chance of weaponized attachments to download malware designed to exfiltrate database files created by the Karachi app.
Moreover, the most recent attacks target Linux users employed by Indian government organizations using a back doored version of Kavach. Showing an effort by the threat actor to broaden the scope of its attack beyond Windows and Android ecosystems.
According to Sandapolla, “When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them”.
Meanwhile, “the payload is downloaded in the background, compromising the user’s system”.
On the other hand, the initial point of the infections is an ELF malware sample, a compiled Python executable that’s engineered to retrieve the other-stage Poseidon payload from a remote server.
Whereas, the cyber security company observed that rogue websites that pose as official Indian government websites are the main means by which fake Kavach apps are disseminated.
These websites include ksboard[.]in and www.rodra[.]in
As social engineering has become a primary attack vector used by Transparent Tribe, users working for the Indian government need to be proactive to check URLs received in emails before opening them.
Sandapolla said, “Repercussions of this APT36 attack could be significant, leading to loss of sensitive information, financial losses, compromised systems, and reputational damage”.