The Pakistan-based threat actor APT36 has significantly evolved its cyber-espionage capabilities with a new sophisticated campaign. This campaign specifically targets Indian defense personnel through weaponized ZIP files that are designed to compromise BOSS Linux systems. This development marks a notable shift in the group’s operational tactics from traditional Windows-based attacks to Linux-focused methods. These new attack methods exploit the widespread use of the BOSS Linux operating system within many Indian government agencies. This strategic change highlights the group’s adaptability and its focus on high-value government and military targets in India.
The attack campaign employs a multi-stage infiltration process that begins with carefully crafted phishing emails with ZIP attachments. Once extracted, the archive reveals a malicious .desktop file that is disguised as a cybersecurity advisory document. This Linux shortcut file contains sophisticated command sequences that are designed to execute silently without any user detection. The embedded Bash commands download a decoy presentation to distract the user while also downloading the primary malware payload. This payload, a malicious ELF binary named BOSS.elf, is saved locally and then executed for persistent background operation.
The Go-language-based malware demonstrates advanced capabilities across multiple different attack vectors,
making it a formidable threat. Static analysis of the malware reveals extensive reconnaissance functions, including system hostname identification and CPU and RAM profiling. The malware employs specific functions for activity logging and uses various evasion techniques to avoid being detected. Command and control operations establish persistent TCP connections to a server located at the IP address 101.99.92[.]182. The malware’s data collection capabilities include desktop screenshot capture and the exfiltration of files and other system information.
This new campaign aligns with multiple MITRE ATT&CK framework techniques, demonstrating the group’s sophisticated operational security measures.
These techniques include T1566 for Phishing and T1543 for creating or modifying a system process. Organizations that are utilizing BOSS Linux systems should immediately implement enhanced email filtering to block these malicious emails. They should also disable .desktop file execution from untrusted sources and deploy endpoint detection tools for Linux threats. This incident underscores the evolving nature of state-sponsored cyber-espionage and the need for robust and layered security defenses.
Reference:
