APT36: A Pakistani Hacking Group, Strengthens Its Operations and Finds New Targets

Famous as APT36, Transparent Tribe is a hacking group that works from Pakistan. APT36 is infamous for monitoring and spying over government activities and military operations in Afghanistan and India. As per the latest reports, APT36 has now strengthened its workforce with better tools and strategies

About the incident 

APT36 usually focuses on using the same TTP (tactics, techniques, and procedures) except in a few cases where it uses different strategies for unique programs.

Some key highlights-

• According to the reports, APT36 has sharpened its tools and activities. It involves attacking campaigns on a much larger scale and specifically targeting Afghanistan. 
• Usually, APT36 uses ‘custom.net’ malware, commonly known as ‘crimson rat.’ APT36 has been using other malware recently, including python-based ‘Peppy rat.’ 
• In the period between June2019-June2020, 200 samples were collected, which showed the Transparent Tribe Commission’s components. 

Mode of operation 

• APT36 uses spear-phishing emails containing MS-Office files, which are encoded with the malware. After successful execution, the malware can steal sensitive information, private credentials, capture screenshots, steal logs and keys, and regulate the microphone and webcam. 
• Besides this, APT36 also uses the USBworm. It is a multipurpose malware that can steal information and function as a worm to attack any network and exploit vulnerabilities. 

APT36 attacks

• APT36 attacked Indian railways in June and stole important information 
• Earlier this year, APT36 deployed spear-phishing emails, posing to work as an authentic communication of government of India 
• Cybersecurity experts have observed that APT36’s primary targets include military and diplomacy from the past one year. According to them, the attacks will not decrease in the foreseeable future; on the other hand, they expect it to rise. 

According to Kaspersky’s report, “we found two different server versions, the one being a version that we named “A,” compiled in 2017, 2018, and 2019, and including a feature for installing the USBWorm component and executing commands on remote machines. The version that we named “B” was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development, and the APT group is working to enhance it.”