| Category | Details |
|---|---|
| Threat Actors | Transparent Tribe (APT36), Pakistan-based, active since at least 2013. Known for persistence and adaptability, primarily targets Indian government, defense, and education sectors through phishing, malware distribution, and credential harvesting. |
| Campaign Overview | The campaign involves using Mythic Poseidon binaries and Linux desktop entry files as C2 agents, targeting individuals in India. APT36 utilizes Mythic C2 servers to manage compromised systems, maintain persistence, and evade detection. |
| Target Regions (Or Victims) | India, particularly government officials, ministries, and defense sectors due to widespread use of Debian-based BOSS OS and the introduction of Maya OS. |
| Methodology | Using Linux desktop entry files disguised as PDFs, deploying Mythic Poseidon binaries for C2, leveraging infrastructure on DigitalOcean, JARM fingerprinting, HTML metadata analysis, phishing emails, and malware-hosting servers to compromise targets. |
| TTPs | Phishing, Linux desktop entry files, Mythic Poseidon binaries, JARM fingerprinting, SSH/HTTP services, leveraging open-source Mythic framework, crontab manipulation for persistence. |
| Indicators of Compromise | IP addresses (e.g., 143.198.64.151, 165.232.118.207), Mythic C2 servers running on DigitalOcean, Linux desktop entry files with md5 hash (e354cf4cc4177e019ad236f8b241ba3c), malicious binaries (e.g., trs-clip, debian-clip). |
| Attribution | Transparent Tribe (APT36), linked based on observed use of Mythic framework, targeted attack on Indian government officials, and Linux desktop entry files. |
| Recommendations | Block identified IPs and C2 servers, monitor for Linux desktop entry files with unusual attributes, enhance detection for Mythic framework activity, increase awareness of phishing campaigns targeting government officials, use JARM fingerprinting for infrastructure detection, enforce secure SSH and HTTP configurations, ensure proactive monitoring of DigitalOcean-hosted servers. |
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply