November 8, 2024
By Cybervergent Team

Transparent Tribe Strikes Again: The Rise of ElizaRAT and its Sneaky Cloud-Based Sidekick, ApoloStealer

Transparent Tribe, also known as APT36, has been playing a cat-and-mouse game for years, constantly upgrading its malware tools to slip past security. Their latest creations? ElizaRAT, a sneaky Remote Access Tool (RAT) that’s even harder to detect, and ApoloStealer, a cloud-savvy sidekick built to siphon sensitive data under the guise of harmless traffic. This dangerous duo isn’t just another piece of malware—it’s a masterclass in deception, using tools like Slack and Google Drive to blend right into the background of everyday work.

The Evolution of ElizaRAT: What’s Changed?

When ElizaRAT first popped up in 2023, it used Telegram channels to communicate with its controllers, but as time went on, it adapted. Today, ElizaRAT’s creator shave expanded their playbook by embedding the malware in files disguised as Google Storage links, often delivered through spear-phishing. Imagine receiving a file that looks like a Google Drive link with a label like “Government Brief” or “Financial Report”  click on it, and boom, you’ve just installed ElizaRAT on your system.

This sneaky RAT has grown smarter in three main ways:

·      Better Evasion – ElizaRAT hides better from security software.

·      Cloud-Powered Communication– Leveraging cloud services like Slack to mask data exfiltration.

·      Automated Info Gathering – Dropping decoy files as distractions while quietly collecting critical information in the background.

Slack Campaign: Malware with a Corporate Twist

In one recent operation, Transparent Tribe used Slack to set up secret channels for malware commands. Here’s how it works:

·      The Hook: Victims receive a CPL (Control Panel) file, often labelled with something benign like “Annual Report.”

·      The Sting: Once clicked, the file installs ElizaRAT, which starts logging victim information and checking whether the victim is in India (the target has been confirmed).

·      The Setup: Anew “SlackAPI” directory is created on the victim’s device to manage stolendata and malware logs.

Now, each time ElizaRAT wants to check in with its C2 (Command and Control) server, it pretends to be a Slack bot! ElizaRAT pings Slack’s API for new commands every 60 seconds, performing actions like taking screenshots or downloading files directly to the attacker’s database.

Meet ApoloStealer, ElizaRAT’s Sidekick

ElizaRAT doesn’t just play solo; it’s backed by ApoloStealer, a data-hungry malware always on the prowl for juicy files. It snoops through directories like Desktop, OneDrive, and Downloads, hunting for anything valuable with extensions like .docx, .pdf, or .pptx. It even dives into USB drives plugged into the infected system, archiving these for later exfiltration.

How it Works:

·       FileScout: ApoloStealer hunts for files like government documents or project reports.

·      Database Store: Files are stored in an SQLite database.

·      Stealth Transfer: Once it has enough, ApoloStealer quietly sends the info back to the hacker’s server, disguised as Slack or Google Drive traffic.

What’s Next? Transparent Tribe Takes on Google Drive

The malware keeps evolving, moving beyond Slack to Google Drive for C2communications. Recent campaigns saw ElizaRat’s creators craft decoy files like “Threat Alert” and “Government Notice,” which they seeded through phishing. Once inside, ElizaRat’s Google Drive variant connects to Google Cloud using service account credentials, listing files and grabbing commands—its goal is simple: stay invisible.

Takeaways for Defense:

Beware of Phishing Links: Many ElizaRAT infections start with files disguised as something familiar or official. Even if it looks like a Google Drive or Slack link, be wary of unsolicited files.

Check Your Slack API Usage: If your organization doesn’t use Slack’s API, seeing unexpected traffic here could be a red flag.

Segment USB Access: ApoloStealer loves USB drives, so segment access to critical systems and educate users on safely handling external storage.

ImplementCloud Access Controls: Since ElizaRAT and ApoloStealer exploit cloud services for C2 communication, adopting a strict access control framework for cloud apps can reduce risk.