A sophisticated persistent menace (APT) group with ties to Pakistan has been attributed to the creation of a faux web site masquerading as India’s public sector postal system as a part of a marketing campaign designed to contaminate each Home windows and Android customers within the nation.
Cybersecurity firm CYFIRMA has attributed the marketing campaign with medium confidence to a menace actor known as APT36, which is also called Clear Tribe.
The fraudulent web site mimicking India Put up is called “postindia[.]web site.” Customers who land on the location from Home windows methods are prompted to obtain a PDF doc, whereas these visiting from an Android gadget are served a malicious software package deal (“indiapost.apk”) file.
“When accessed from a desktop, the location delivers a malicious PDF file containing ‘ClickFix‘ ways,” CYFIRMA mentioned. “The doc instructs customers to press the Win + R keys, paste a offered PowerShell command into the Run dialog, and execute it – doubtlessly compromising the system.”
An evaluation of the EXIF knowledge related to the dropped PDF exhibits that it was created on October 23, 2024, by an writer named “PMYLS,” a possible reference to Pakistan’s Prime Minister Youth Laptop computer Scheme. The area impersonating India Put up was registered a few month afterward November 20, 2024.
The PowerShell code is designed to obtain a next-stage payload from a distant server (“88.222.245[.]211”) that is presently inactive.
Alternatively, when the identical web site is visited from an Android gadget, it urges customers to put in their cell app for a “higher expertise.” The app, as soon as put in, requests in depth permissions that permit it to reap and exfiltrate delicate knowledge, together with contact lists, present location, and information from exterior storage.
“The Android app adjustments its icon to imitate a non-suspicious Google Accounts icon to hide its exercise, making it troublesome for the person to find and uninstall the app after they need to take away it,” the corporate mentioned. “The app additionally has a function to drive customers to just accept permissions if they’re denied within the first occasion.”
The malicious app can also be designed to run within the background repeatedly even after a tool restart, whereas explicitly searching for permissions to disregard battery optimization.
“ClickFix is more and more being exploited by cybercriminals, scammers, and APT teams, as reported by different researchers observing its use within the wild,” CYFIRMA mentioned. “This rising tactic poses a major menace as it may well goal each unsuspecting and tech-savvy customers who might not be conversant in such strategies.”