Transparent Tribe, a Pakistan-based advanced persistent threat (APT) actor, has used a two-factor authentication (2FA) tool employed by Indian government agencies to deliver a new Linux backdoor named Poseidon. According to Uptycs security researcher Tejaswini Sandapolla, Poseidon is a second-stage payload malware linked to Transparent Tribe and provides attackers with a range of capabilities to hijack an infected host.
Expanding the attack spectrum
Transparent Tribe, also known as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has a history of targeting Indian government organizations, military personnel, defense contractors, and educational entities. The group has repeatedly leveraged trojanized versions of Kavach, the Indian government-mandated 2FA software, to deploy various malware such as CrimsonRAT and LimePad for harvesting valuable information.
In the latest series of attacks, a backdoored version of Kavach targets Linux users working for Indian government agencies. This signifies the threat actor’s attempt to broaden its attack spectrum beyond Windows and Android ecosystems. Sandapolla explains that when a user interacts with the malicious version of Kavach, the genuine login page is displayed as a distraction, while the payload is downloaded in the background, compromising the user’s system.
The infection process starts with an ELF malware sample, a compiled Python executable designed to retrieve the second-stage Poseidon payload from a remote server. Cybersecurity firm Uptycs notes that the fake Kavach apps are primarily distributed through rogue websites masquerading as legitimate Indian government sites, such as www.ksboard[.]in and www.rodra[.]in.
Users working within the Indian government are advised to double-check URLs received in emails before opening them, as social engineering remains Transparent Tribe’s primary attack vector. Sandapolla warns that the consequences of these APT36 attacks could be significant, leading to the loss of sensitive information, compromised systems, financial losses, and reputational damage.
{{user}} {{datetime}}
{{text}}