Warning! Pakistani Hackers Target Indian Organizations with ElizaRAT Malware

Highlights

ElizaRAT malware enables Pakistani hackers to spy on Indian organizations, evading detection and posing severe security risks.

Cybersecurity experts are raising alarms about a recent surge in cyber-espionage activity targeting Indian organizations, led by Pakistani hackers using a new malware called ElizaRAT. This advanced malware, attributed to the hacker group Transparent Tribe (also known as APT36), is designed to covertly gather sensitive information from targeted computers in India, posing a substantial cybersecurity threat.

Researchers at Check Point, a leading cybersecurity firm, have been monitoring ElizaRAT since its appearance in September 2023. With each iteration, ElizaRAT has become more sophisticated and challenging to detect, employing advanced techniques to bypass security measures and remain concealed.

All About ElizaRAT?

ElizaRAT is a form of malware—malicious software intended to take over a device without the user’s awareness. The malware is commonly distributed through phishing attacks, where unsuspecting users are tricked into clicking links or downloading seemingly harmless files. Often, these files are hosted on reputable cloud storage platforms like Google Drive, making them appear trustworthy. Once installed, ElizaRAT enables hackers to take control of the infected device remotely, establishing a covert channel for data exfiltration and espionage.

How Does ElizaRAT Operate?

Once ElizaRAT infects a device, it begins collecting data, monitors user activities, and transmits this information back to the hackers. Notably, the malware includes a mechanism to confirm the device’s time zone, verifying if it aligns with Indian Standard Time before proceeding with espionage tasks. This targeting strategy highlights ElizaRAT’s specific focus on Indian organizations.

Transparent Tribe uses popular platforms like Google, Telegram, and Slack to communicate with infected devices, making the malware’s activity blend into regular internet traffic. This tactic complicates detection, as the malicious traffic appears legitimate. ElizaRAT has undergone multiple updates, each introducing new features to evade security systems:

- First Campaign: Initially, ElizaRAT leveraged Slack as its command-and-control (C2) channel, sending and receiving commands through the platform.

- Second Campaign: In a later iteration, the malware used a private virtual server for C2, increasing its stealth by moving away from mainstream platforms.

- Third Campaign: The latest version of ElizaRAT utilizes Google Drive for communication, allowing the hackers to upload additional data-gathering programs onto compromised devices. This approach capitalizes on the platform’s legitimate status to avoid raising security flags.

Countermeasures and Security Efforts

To mitigate the risks posed by ElizaRAT, Check Point has developed a security solution called Threat Emulation. This technology screens all files entering a network by running them in a safe virtual environment. Any malicious behaviour triggers an alert, blocking the malware from reaching users and providing a sanitized version of the file instead.

In summary, ElizaRAT represents a sophisticated tool for Transparent Tribe’s espionage activities targeting Indian organizations. As the malware continues to evolve, security experts are racing to enhance defensive measures to safeguard sensitive data from these stealthy, persistent attacks.