APT36, a Pakistani cyber-espionage group, has just lately upgraded its arsenal with ElizaRAT, a complicated Home windows RAT that, initially detected in 2023, employs superior evasion ways and strong C2 capabilities to focus on Indian authorities companies, diplomatic personnel, and army installations.
The group leverages a number of platforms, together with Home windows, Linux, and Android, to broaden its assault floor as the newest ElizaRAT iterations introduce new deployment strategies, payloads, and infrastructure, making it a persistent and evolving risk to India’s essential infrastructure.
ElizaRAT, a malicious software program, leverages SlackAPI.dll, recognized by its MD5 hash 2b1101f9078646482eb1ae497d44104, to facilitate covert communication by Slack channels.
CPL information, generally related to Home windows settings, are exploited as a supply mechanism.
As soon as executed, the malware extracts delicate info from Userinfo.dll and transmits it to a distant server, which periodically checks for brand spanking new directions, enabling distant management over the compromised system.
It leverages Slack’s API for command and management by constantly polling a selected channel (C06BM9XTVAS) utilizing the ReceiveMsgsInList() operate and retrieving messages through the conversations.historical past endpoint.
By using a bot token and sufferer ID, it offers authentication and identification, and to challenge instructions, ElizaRAT employs the SendMsg() operate, posting messages to channel C06BWCMSF1S by the chat.postMessage endpoint.
The malware may also add stolen information utilizing the SendFile() operate and the information.add endpoint.
For file downloads, DownloadFile() retrieves information from URLs offered by the attacker and saves them on the compromised system, doubtless using HttpClient for safe communication with the obtain server.
The SlackAPI.dll file has been recognized as malicious by a number of safety distributors, which communicates with identified malicious IP addresses and displays behaviors related to the MITRE ATT&CK framework.
It’s doubtlessly linked to the ElizaRAT and ApoloStealer campaigns and leverages the rundll32.exe course of to execute malicious actions and persist on contaminated techniques.
Circle ElizaRAT, a brand new variant of ElizaRAT malware that emerged in January 2024, makes use of a dropper part for enhanced evasion, and by focusing on Indian techniques, it checks the time zone and shops sufferer information within the %appdatapercentCircleCpl folder.
This variant leverages a VPS for C2 communication, making detection tough, and retrieves the sufferer’s IP tackle and presumably downloads the SlackFiles.dll payload, suggesting a hyperlink between the Circle and Slack campaigns.
The circulatedrop.dll is a malicious payload related to the ElizaRAT malware, which leverages Google Cloud C2 to obtain instructions and obtain subsequent payloads from VPS servers.
Scheduled duties and rundll32.exe are used to hold out the execution of those payloads, that are disguised as authentic information reminiscent of SpotifyAB.dll or Spotify-news.dll.
Based on Reco, the marketing campaign makes use of a number of IP addresses, a few of that are flagged as malicious by quite a few safety distributors and are linked to identified vulnerabilities that exhibit aggressive exercise, notably on particular dates, suggesting focused assaults.