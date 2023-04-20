An “expert” group in advanced persistents (APT) based in Pakistan known as the “Transparent Tribe” has used a two-factor authentication (2FA) tool used by Indian government agencies as a pretext to deliver a new Linux backdoor called Poseidon.

Poseidon, what exactly is it about

“Poseidon is a second level payload malware associated with Transparent Tribe“, has said Uptycs security researcher Tejaswini Sandapolla in a technical report released this week.

Sandapolla then added: “It is a general purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its features include keystroke logging, screen capture, file upload and download, and remote system administration in various ways“.

Transparent Tribe it is also known as APT36 (already known for cyber espionage operations against META), Operation C-Major, PROJECTM and Mythic Leopard, and has a track record of attacking Indian government organizations, military personnel, defense contractors and educational entities.

It has also repeatedly exploited Trojanized versions of Kavach, the Indian government’s mandatory 2FA software, to distribute a variety of malware, such as CrimsonRAT and LimePad, to gather valuable intelligence.

Another phishing campaign detected at the end ofLast year exploited the weaponized attachments to download malware designed to exfiltrate database files created by the Kavach app.

The latest round of attacks involves the use of a backdoored version of Kavach to target Linux users working for Indian government agencies, indicating attempts by the threat group to expand its attack spectrum beyond the ecosystems of Windows and Android.

“When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them“, explained Sandapolla. “Meanwhile, the payload is downloaded in the background, compromising the user’s system“.

The starting point of infections is a sample of ELF malwarea compiled Python executable that is designed to retrieve the second level Poseidon payload from a remote server.

To report that most of what runs on Linux (programs, applications, Linux libraries themselves) are almost all done in Python!

The cybersecurity firm noted that Kavach’s fake applications are mostly distributed through fraudulent websites posing as legitimate Indian government sites. This includes www.ksboard[.]in and www.rodra[.]in.

Since social engineering is the primary attack vector used by Transparent Tribe, users working within the Government of India are advised to double check URLs received via email before opening them.

“The consequences of this APT36 attack could be significant, leading to the loss of sensitive information, compromised systems, financial losses and reputational damage“said Sandapolla.

Conclusion

To conclude, Transparent Tribe, also known as APT36, has once again demonstrated its ability to adapt and improve its attack tactics, see the case of this Poseidon.

Using a backdoor version (such as Poseidon) of two-factor authentication software mandated by Indian government agencies, the threat group has infected Linux systems and could cause severe and costly consequences.

It is important for users to remain vigilant and careful when dealing with suspicious emails and fraudulent websites. Organizations must also invest in user education and cybersecurity to protect their sensitive data and keep their reputation intact.

As for the Mac, don’t think that using anything other than Windows, a Linux distro in this case, automatically makes you immune to cyberthreats: it’s the habits that make the difference, not the operating system.