The Pakistan-based Advanced Persistent Threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
“Poseidon is a second-stage payload malware associated with Transparent Tribe,” Uptycs security researcher Tejaswini Sandapolla said in a technical report released this week.
“It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screenshots, uploading and downloading files, and administering the system remotely from various ways.”
Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a history of targeting Indian government organizations, military personnel, defense contractors, and educational institutions.
It has also repeatedly exploited trojanized versions of Kavach, the Indian government-mandated 2FA software, to deploy a variety of malware such as CrimsonRAT and LimePad to collect valuable information.
Another phishing campaign detected late last year took advantage of weaponized attachments to download malware designed to exfiltrate database files created by the Kavach application.
The latest set of attacks involves using a backdoored version of Kavach to target Linux users working for government agencies in India, indicating attempts by the actor threat to expand its attack spectrum beyond the Windows and Android ecosystems.
“When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them,” explained Sandapolla. “Meanwhile, the payload is downloaded in the background, compromising the user’s system.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The starting point of the infections is an ELF malware sample, a compiled Python executable that is designed to retrieve the second stage Poseidon payload from a remote server.
The cybersecurity firm noted that fake Kavach apps are mostly distributed through rogue websites masquerading as legitimate Indian government sites. This includes www.ksboard[.]at www.rodra[.]in
Since social engineering is the primary attack vector used by Transparent Tribe, users working within the Indian government are advised to check URLs received in emails before opening them.
“The repercussions of this APT36 attack could be significant, resulting in the loss of sensitive information, compromised systems, financial loss and reputational damage,” said Sandapolla.
Recent reports have exposed a significant cyber security concern in the Asia Pacific region. Pakistani hackers have been using the open source Linux malware ‘Poseidon’ to target Indian government agencies. The malware contains spyware, backdoors and more, enabling hackers to potentially control infected computers from remote locations.
Ikaroa, a full stack technology company, is on the forefront of this rapidly evolving security landscape. We understand the importance of ensuring our client’s sites, servers and networks are shielded from malware and other cyberattacks. Our security solutions focus on the current threat landscape, which means that we are constantly researching, developing and testing against the latest cyber threats.
Ikaroa’s security solutions are designed to immediately detect and alert of any malicious activity on your system. Our team of cybersecurity experts also monitor for any potential indicators of compromise that can lead to more advanced attacks. Our solutions can protect your confidential data from attackers and help you manage network resources more efficiently.
In this situation, Indian government agencies must ensure that their cyber security posture is up-to-date with the latest threats. As the use of Linux malware like Poseidon become more widespread, it is even more important for organizations to stay ahead of potential threats. Ikaroa’s security solutions are tailored to protect against sophisticated threats like the use of Linux malware ‘Poseidon’.
We urge Indian government agencies to take extra efforts to secure their data and systems as well as educate their employees about cyber security best practices. By using solutions from Ikaroa, organizations can detect malicious activity on their system and combat the abuse of Linux malware ‘Poseidon’ targeted at government agencies.