Pakistani Hackers Use Poseidon Linux Malware to Target Indian Government Agencies
The Pakistan-based Advanced Persistent Threat (APT) actor is known as Transparent Tribe uses a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to introduce a new Linux backdoor called Poseidon.
“Poseidon is a second-stage payload malware associated with Transparent Tribe,” said security researcher Uptycs Tejaswini Sandapolla in a technical report published this week.
“It is a general-purpose backdoor that provides attackers with various capabilities to hijack infected hosts. Its functionality includes logging keystrokes, taking screenshots, uploading and downloading files, and remotely managing the system in various ways.”
Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.
It has also repeatedly leveraged a trojan version of Kavach, India’s government-mandated 2FA software, to spread various malware, such as CrimsonRAT and LimePad to gather valuable information.
Another phishing campaign detected late last year exploited an attachment armed to download malware designed to extract database files created by the Kavach application.
The latest series of attacks required the use of a version of the Kavach backdoor to target Linux users working for Indian government agencies, demonstrating efforts by the threat actor to expand its attack spectrum beyond the Windows and Android ecosystems.
“When a user interacts with a malicious version of Kavach, the original login page is displayed to distract them,” explained Sandapolla. “Meanwhile, the payload is downloaded in the background, harming the user’s system.”
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
The initial point of infection is ELF malware samplecompiled Python executables engineered to take the second stage Poseidon’s charge from a remote server.
The cybersecurity firm notes that the fake Kavach app is primarily distributed via malicious websites disguised as those of the legitimate government of India. This includes www.ksboard(.)in and www.rodra(.)in.
With social engineering as the main attack vector used by Transparent Tribe, users working within the Indian government are advised to double check URLs received in emails before opening them.
“The impact of these APT36 attacks can be significant, leading to loss of sensitive information, compromised systems, financial loss and reputational damage,” Sandapolla said.
