BleepingComputer reports that Indian government and defense organizations have been targeted by Pakistan-linked threat operation APT36, also known as Transparent Tribe, in attacks involving illicit Linux .desktop files as part of a new ongoing malware campaign first discovered at the beginning of the month.
APT36 has distributed malicious emails with a nefarious PDF document-spoofing .desktop file, which prompts the writing of a hex-encoded payload and subsequent execution of 'chmod +x' while running Firefox to show a Google Drive-hosted PDF decoy and serve as a dropper for a Go-based ELF executable enabling cyberespionage, according to separate reports from CYFIRMA and CloudSEK. Additional findings from CloudSEK showed that aside from being overtly covert due to packing and obfuscation, such a payload also leveraged a bi-directional WebSocket channel for command-and-control communications, enabling data theft and remote command execution. Such findings were noted by both CYFIRMA and CloudSEK researchers to be indicative of APT36's increasingly sophisticated operations.
APT36 has distributed malicious emails with a nefarious PDF document-spoofing .desktop file, which prompts the writing of a hex-encoded payload and subsequent execution of 'chmod +x' while running Firefox to show a Google Drive-hosted PDF decoy and serve as a dropper for a Go-based ELF executable enabling cyberespionage, according to separate reports from CYFIRMA and CloudSEK. Additional findings from CloudSEK showed that aside from being overtly covert due to packing and obfuscation, such a payload also leveraged a bi-directional WebSocket channel for command-and-control communications, enabling data theft and remote command execution. Such findings were noted by both CYFIRMA and CloudSEK researchers to be indicative of APT36's increasingly sophisticated operations.
