APT36, a Pakistani cyber-espionage group, now uses ElizaRAT, a Windows RAT with advanced evasion and C2 features, to target Indian government, diplomats, and military.
APT36 uses Windows, Linux, and Android to expand attacks, with ElizaRAT’s updates adding new methods, payloads, and infrastructure, posing a growing threat to India’s critical systems.
All about ElizaRAT
ElizaRAT, a malicious software, utilizes the SlackAPI.dll library, identified by its MD5 hash 2b1101f9078646482eb1ae497d44104, to establish covert communication channels within Slack.
By leveraging Slack’s API, the malware can send and receive commands or exfiltrate data without raising suspicion, blending malicious activity with legitimate traffic commonly seen in enterprise environments. This tactic helps attackers evade traditional security measures and maintain persistence in compromised systems.
CPL files, used for Windows settings, are exploited to deliver the malware.
When executed, it extracts sensitive data from Userinfo.dll and sends it to a remote server, allowing attackers to control the system.
The malware uses Slack’s API for command and control, polling a specific channel (C06BM9XTVAS) via the ReceiveMsgsInList() function and retrieving messages from the conversations.history endpoint.
ElizaRAT uses a bot token and victim ID for authentication and identification. It issues commands via the SendMsg() function, posting to channel C06BWCMSF1S using chat.postMessage.
Stolen files are uploaded with SendFile() through files.upload, while DownloadFile() retrieves files from attacker-provided URLs, likely using HttpClient for secure communication.
SlackAPI.dll, flagged as malicious by multiple security vendors, communicates with known malicious IPs and shows behavior tied to the MITRE ATT&CK framework.
It is linked to ElizaRAT and ApoloStealer campaigns and uses rundll32.exe to perform malicious actions and maintain persistence on infected systems.
Several IP addresses linked to ElizaRAT’s infrastructure include:
- 84.247.135.235: Flagged as malicious by multiple vendors
- 143.110.179.176: Marked as suspicious
- 64.227.134.248: Tied to malicious DLLs
- 38.54.84.83: Associated with Circle.dll and brute-force attempts
- 83.171.248.67: Flagged as malicious and hosts vulnerable services
Circle ElizaRAT, a January 2024 variant, evades detection with a dropper, targets Indian systems, and stores data in %appdata%\CircleCpl. It uses VPS for C2, retrieves IPs, and may download SlackFiles.dll, linking it to Slack campaigns.
Circulatedrop.dll, linked to ElizaRAT, uses Google Cloud C2 to receive commands and download payloads from VPS servers.
It runs via scheduled tasks and rundll32.exe, disguising files as SpotifyAB.dll or Spotify-news.dll.
Reco reports the campaign uses malicious IPs tied to known vulnerabilities, showing aggressive, date-specific attacks.
Leave A Comment