ElizaRAT, a sophisticated Remote Access Trojan (RAT) for Windows developed by the APT36 group, also referred to as Transparent Tribe, is making waves in the cybersecurity community. This notorious Pakistani threat actor group, known for targeting Indian government agencies, diplomatic personnel, and military installations, has now expanded its reach to major platforms including Windows, Linux, and Android systems.
Advanced Capabilities of ElizaRAT
First discovered in 2023, ElizaRAT showcases various advanced capabilities indicative of its high-level design and dangerous potential. Written in .NET with embedded .NET and assembly modules, it uses .CPL files for execution evasion and leverages cloud services such as Google, Telegram, and Slack for distribution and command-and-control (C2) communication. Among its other features, ElizaRAT deploys decoy documents or videos, utilizes IWSHshell for persistence, implements SQLite for temporary file storage, and generates and stores unique victim IDs.
Key Campaigns Involving ElizaRAT
Three key campaigns have been identified involving ElizaRAT: Slack, Circle, and Google Drive.
Slack Campaign
The Slack campaign employs SlackAPI.dll for its core functions and delivers malware using CPL files. This malware checks for new instructions every 60 seconds and sends and receives messages via specific Slack channels. The use of Slack’s infrastructure allows the malware to blend in with legitimate traffic, making detection more challenging.
Circle Campaign
Launched in January 2024, the Circle campaign introduces improved evasion techniques with a dropper component. Instead of cloud services, it uses a Virtual Private Server (VPS) and checks for the Indian Standard Time zone to ensure it targets the intended region. It registers victim information in specific files and communicates with a dedicated server for data exfiltration. This method enhances its stealth capabilities and effectiveness in data theft operations.
Google Drive Campaign
In the Google Drive campaign, ElizaRAT uses Google Cloud for C2 communication, downloading payloads from multiple VPS. The Trojan utilizes extensionhelper_64.dll and ConnectX.dll payloads, which are renamed to mimic legitimate software, such as SpotifyAB.dll. This tactic further obfuscates its presence, making it harder for security systems to detect and respond to the threat.
Infrastructure Analysis
The analysis of ElizaRAT’s infrastructure uncovered several IP addresses associated with its operations. Among these, some have been flagged as malicious or suspicious, including:
- 84.247.135.235
- 143.110.179.176
- 64.227.134.248
- 38.54.84.83
- 83.171.248.67
Conclusion: An Evolving Cyberthreat
ElizaRAT is a sophisticated and highly advanced Remote Access Trojan (RAT) developed by the notorious APT36 group, also known as Transparent Tribe. This Pakistani threat actor group has been making significant waves within the cybersecurity community. Known for its high-profile cyber espionage activities, APT36 has primarily targeted Indian government agencies, diplomatic personnel, and military installations. With the development and deployment of ElizaRAT, their capability to infiltrate and gather intelligence has become even more formidable. Originally focusing on Windows systems, APT36’s malicious activities have now expanded their reach to major platforms, including Linux and Android systems. This cross-platform versatility makes ElizaRAT a potent tool for APT36’s cyber espionage missions, posing a significant and evolving threat to cybersecurity worldwide. The group’s ability to develop and adapt such sophisticated tools underscores the persistent and growing challenge that cybersecurity professionals must address.