November 8, 2024 at 07:51AM
High-profile entities in India are being targeted by the Pakistan-based Transparent Tribe and the new China-linked IcePeony cyber espionage groups. Transparent Tribe uses ElizaRAT and ApoloStealer malware, while IcePeony employs SQL Injection and web shells to steal credentials. Both groups demonstrate sophisticated attack methodologies and tools.
### Meeting Takeaways – Cyber Espionage / Threat Intelligence (November 8, 2024)
1. **Threat Actors Overview:**
– **Transparent Tribe**: A Pakistan-based group targeting high-profile entities in India using ElizaRAT and ApoloStealer malware.
– **ElizaRAT**: A Windows remote access tool, first observed in July 2023, leveraging cloud-based services (Telegram, Google Drive, Slack) for command-and-control operations. Active since 2013, the group operates under multiple aliases (e.g., APT36, Datebug).
– **ApoloStealer**: Extracts various file types from compromised systems, showcasing a new method to enhance data exfiltration capabilities.
2. **Targeted Infection Tactics:**
– Utilizes Control Panel (CPL) files delivered through spear-phishing campaigns.
– Recent trends show increased targeting of Linux systems due to the Indian government’s use of a customized Ubuntu OS (Maya OS).
– Multiple distinct campaigns involving ElizaRAT have been launched between December 2023 and August 2024.
3. **Evolution of Malware:**
– New components introduced, including a dropper for ElizaRAT and an additional module named ConnectX, which specifically targets external drives (USB).
– The threat landscape is increasingly complicated due to the abuse of legitimate enterprise services, making detection more challenging.
4. **IcePeony Threat Group:**
– A previously unknown Chinese-affiliated APT targeting government, academic, and political sectors in India, Mauritius, and Vietnam since 2023.
– Attack methods include SQL Injection and backdoor exploits, with a focus on credential theft.
– **Key Tools**:
– **IceCache**: Targets Microsoft IIS, incorporating file transmission and command execution features.
– **IceEvent**: A passive-mode backdoor allowing file control and command execution.
5. **Operational Insights:**
– Evidence suggests organized, professional operations with a structured attack schedule—most active six days a week, with a day off on Sunday.
These insights reflect the evolving landscape of cyber threats aimed at key sectors within India and underscore the necessity for heightened cybersecurity measures and awareness.