The cybercriminal group APT36 strengthens its malware with new techniques

APT36, a well-known hacking group linked to Pakistan, has recently unveiled a sophisticated evolution of its ElizaRAT malware. This malicious software, designed to infiltrate targeted systems and extract sensitive information, has been employed in a series of severe cyberattacks primarily aimed at Indian entities.   

T

his organization, with a long history of cyberattacks, including high-profile targets such as India’s Ministry of Defense, has proven to be a persistent and sophisticated threat.   

The latest versions of ElizaRAT have been fortified with advanced evasion tactics, making it increasingly difficult for security solutions to detect and neutralize the threat. These techniques include:   

• Process Injection: Embedding malicious code into legitimate processes to bypass security measures.   
• Rootkit Capabilities: Hiding the malware’s presence on infected systems.   
• Anti-Debugging Mechanisms: Preventing security researchers from analyzing its behavior.   

Additionally, the malware now has the ability to deliver a range of harmful payloads, including the potent ApoloStealer. Payloads are malware components designed to perform specific actions on compromised systems, such as stealing information or causing damage. For example, ApoloStealer is designed to exfiltrate sensitive data such as login credentials, financial information, and intellectual property, significantly increasing the impact of the attack.   

Flexible C2 Infrastructure   

APT36 has shown remarkable adaptability in its command-and-control (C2) infrastructure, leveraging various platforms to maintain persistent communication with compromised systems. C2 allows cybercriminals to maintain ongoing control over compromised machines, issue commands, exfiltrate data, or perform other malicious actions.   

Some observed C2 methods include:   

• Cloud-Based Services: Misusing legitimate cloud services like Slack and Google Drive to conceal malicious activity.   
• Domain Fronting: Masking malicious traffic by routing it through legitimate domains.   
• Rapidly Changing IP Networks: Quickly switching IP addresses to evade detection.   

By staying informed about the latest threat landscape and adopting proactive security measures, organizations can better protect themselves against APT36 and other malicious actors. This is especially critical given the increasing complexity of techniques such as payload delivery. For instance, payloads like ApoloStealer, used by ElizaRAT, are designed to extract sensitive data, making them highly effective tools for attackers.   

Key security measures 

• Regular Software Updates: Keeping all systems and software up to date with the latest security patches is essential to protect against known vulnerabilities that attackers can exploit. Security patches fix software flaws that could be used to insert malware, including zero-day malware—a type of malicious software that exploits vulnerabilities unknown to developers or security experts. It is called “zero-day” because attackers have zero days to exploit it before a patch or fix is released.
• Strong Authentication Policies: As we transition into a passwordless security era, strong password policies remain a critical step in protecting accounts. However, the future of cybersecurity lies beyond robust and unique passwords. While complex passwords—combinations of letters, numbers, and special characters—are essential to defend against brute-force attacks, transitioning to more secure methods like multi-factor authentication (MFA) or biometric identity verification is redefining digital protection. We are moving toward a time when passwords will be complemented by more advanced technologies that provide an extra layer of security without solely relying on alphanumeric combinations. 
• Employee Security Awareness Training: Employees must be educated about social engineering tactics such as phishing, where attackers deceive individuals into disclosing sensitive information. They should also be trained in cybersecurity best practices, such as verifying the authenticity of emails and avoiding clicking on suspicious links. 
• Network Segmentation: Isolating critical systems and networks helps contain the damage in case of a security breach. This means that if an attacker compromises one part of the network, they cannot easily access other, more sensitive areas. Additionally, strict controls should be implemented between different zones of the network to limit lateral movement by attackers. 
• Advanced Threat Protection Solutions: Organizations should deploy advanced security solutions capable of detecting and blocking sophisticated attacks. These include tools designed to continuously monitor endpoints such as computers, servers, and mobile devices, as well as Intrusion Prevention Systems (IPS) and threat intelligence solutions that can identify abnormal behavior and prevent real-time attacks.   

By implementing these measures, organizations can significantly improve their ability to defend against advanced tactics employed by groups like APT36 and other cyber threats.

Contact a TrustCloud expert and learn about our hacker-proof solutions.