Pakistani Hackers Deploy Linux Malware “Poseidon” to Target Indian Government Entities

April 19, 2023
Linux / Malware

The Pakistan-based advanced persistent threat (APT) group known as Transparent Tribe has exploited a two-factor authentication (2FA) tool utilized by Indian government agencies to introduce a new Linux backdoor dubbed Poseidon. According to Uptycs security researcher Tejaswini Sandapolla, “Poseidon serves as a second-stage malware payload linked to Transparent Tribe. It functions as a versatile backdoor, enabling attackers to perform a variety of malicious actions such as logging keystrokes, capturing screenshots, and managing system files remotely.” Transparent Tribe, also identified as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has a history of targeting Indian governmental bodies, military personnel, defense contractors, and educational institutions. This group frequently utilizes trojanized versions of legitimate software to carry out its attacks.

Pakistani Hackers Employ Linux Malware “Poseidon” to Compromise Indian Government Networks

On April 19, 2023, cybersecurity researchers reported that a prominent threat actor from Pakistan, known as Transparent Tribe, has utilized a fraudulent two-factor authentication (2FA) tool to deploy a sophisticated Linux backdoor named Poseidon. This malware is specifically designed to target various Indian government agencies, highlighting a concerning escalation in cyber warfare tactics within the region.

According to Tejaswini Sandapolla, a security researcher at Uptycs, Poseidon acts as a second-stage payload linked to Transparent Tribe, which has been previously identified by several aliases, including APT36, Operation C-Major, PROJECTM, and Mythic Leopard. This group has a well-documented history of launching attacks against Indian governmental bodies, military officials, defense contractors, and educational institutions, demonstrating a pattern of persistent focus on strategic entities within India.

Poseidon is characterized as a general-purpose backdoor malware, which grants attackers extensive capabilities for taking control of compromised systems. Its functionalities encompass keylogging, screen capture, file uploads and downloads, as well as remote administration of the infected host. These capabilities enable cybercriminals to execute a broad range of malicious activities, including data exfiltration and surveillance.

In the context of the MITRE ATT&CK framework, this attack exemplifies multiple adversarial tactics and techniques. The use of the 2FA tool suggests initial access leveraging social engineering or other deceptive methods aimed at evading standard cybersecurity defenses. Once access is obtained, the malware establishes persistence within the system, enabling the attackers to maintain control over the infected infrastructure. Furthermore, the potential for privilege escalation may arise as the attackers navigate through compromised systems, enhancing their capabilities and scope of operations.

As cyber threats become increasingly advanced and persistent, the incident underscores the critical importance for businesses and government entities to adopt comprehensive security measures. Understanding such breaches—as demonstrated through the techniques associated with the MITRE framework—can provide valuable insights for organizations seeking to bolster their defense against similar attacks in the future.

This incident not only poses immediate risks to the targeted Indian agencies but also serves as a warning to organizations across the globe about the ever-evolving strategies employed by threat actors. In a world where cyber threats know no borders, vigilance and proactive response strategies remain critical for safeguarding sensitive information and maintaining operational integrity.

Source link

Related Posts

Large-Scale Campaign Exploits Kubernetes RBAC for Cryptocurrency Mining

In a recently uncovered attack campaign, Kubernetes (K8s) Role-Based Access Control (RBAC) vulnerabilities have been exploited to establish backdoors and deploy cryptocurrency miners. Cloud security firm Aqua reported that attackers utilized DaemonSets to commandeer resources within targeted K8s clusters. Dubbed “RBAC Buster,” the campaign has reportedly infiltrated 60 unprotected K8s clusters. The attack began with the exploitation of a misconfigured API server, followed by a search for competing miner malware, and the establishment of persistence through RBAC adjustments. Aqua noted that the attacker created a new ClusterRole with almost admin-level permissions and set up a ‘ServiceAccount’ named ‘kube-controller’ in the ‘kube-system’ namespace.

Paperbug Exploit: New Politically-Driven Surveillance Initiative in Tajikistan

On April 27, 2023, a relatively obscure Russian-speaking cyber-espionage group has been identified as the orchestrator of a new politically motivated surveillance initiative targeting senior government officials, telecom services, and public infrastructure in Tajikistan. The operation, named Paperbug by the Swiss cybersecurity firm PRODAFT, has been linked to a threat actor known as Nomadic Octopus (also referred to as DustSquad). According to PRODAFT’s comprehensive technical report shared with The Hacker News, “The types of compromised machines range from individual computers to operational technology devices. These targets render ‘Operation Paperbug’ intelligence-driven.” While the ultimate motives behind the attacks are still uncertain, the cybersecurity firm has suggested the possibility of involvement from domestic opposition groups or an intelligence-gathering effort conducted by Russia or China. Nomadic Octopus first gained attention in October 2018.

Tonto Team Exploits Anti-Malware File to Attack South Korean Institutions

April 28, 2023
Malware / Cyber Threat

Recent attacks by the China-aligned threat actor known as the Tonto Team have targeted South Korean education, construction, diplomatic, and political institutions. The AhnLab Security Emergency Response Center (ASEC) reported that the group is utilizing a file associated with anti-malware products to carry out their malicious activities. Active since at least 2009, Tonto Team has a history of attacks across various sectors in Asia and Eastern Europe. Earlier this year, they were linked to an unsuccessful phishing attempt on the cybersecurity firm Group-IB. According to ASEC, the attack begins with a Microsoft Compiled HTML Help (.CHM) file that runs a binary to side-load a malicious DLL (slc.dll) and deploy the ReVBShell backdoor, an open-source VBScript tool also used by another Chinese threat actor, Tick.