Transparent Tribe, a Pakistan-based advanced persistent threat (APT) actor, used a two-factor authentication (2FA) technology used by Indian government entities as a ploy to distribute a new Linux backdoor named “Poseidon”
Poseidon malware is a type of malware that allows operators to access a variety of functions such as keylogging, file access, screen recording, and remote administrative control.
Furthermore, it is a second-stage payload Malware that was distributed using a bogus version of the Kavach two-factor programme. Which is used specifically by Indian government agencies to enable safe and secure email access.
According to Tejaswini Sandapolla of Uptycs security, “Poseidon is a second-stage payload malware associated with Transparent Tribe.”
Furthermore, he added that “in a general-purpose backdoor that allows attackers with diverse capabilities to hijack an infected host.” Its features include keystroke recording, screen grabs, file uploading and downloading, and remote system administration in a variety of ways.”
Transparent Tribe is also known as APT 36, Operation C-major, Mythic Leopard, and PROJECTM due to the high danger of malware infections.
It has a history of attacking Indian government organisations, military personnel, defence contractors, and educational institutions.
Furthermore, it has routinely utilised Romanized versions of Kavach, the 2FA software required by the Indian government, to propagate malware such as Crimson RAT and LimePad in order to collect sensitive data.
Another phishing campaign last year took use of the opportunity to download malware meant to exfiltrate database files created by the Karachi app.
Furthermore, the most recent assaults use a backdoored version of Kavach to target Linux users employed by Indian government organisations. The threat actor is attempting to widen the scope of its attack beyond the Windows and Android ecosystems.
“When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them,” Sandapolla says.
Meanwhile, “the payload is being downloaded in the background, potentially jeopardising the user’s system.”
The initial point of infection, on the other hand, is an ELF malware sample, a compiled Python programme designed to retrieve the other-stage Poseidon payload from a remote server.
In contrast, the cyber security firm discovered that rogue websites masquerading as legitimate Indian government websites are the primary mechanism by which phoney Kavach apps are distributed.
Among these are ksboard[.]in and www.rodra[.]in.
Because social engineering has become a main attack vector for Transparent Tribe, users working for the Indian government must be vigilant in checking URLs received in emails before opening them.
According to Sandapolla, “the ramifications of this APT36 attack could be significant, resulting in the loss of sensitive information, financial losses, compromised systems, and reputational damage.”