A technical report published by Uptycs security earlier this week revealed that a Pakistan-based advanced persistent threat (APT) actor called Transparent Tube attempted to deliver a Linux backdoor malware dubbed Poseidon on Indian government agency systems using a fake two-factor authentication tool.
The Poseidon malware gives the operator a bunch of functionalities including keylogging, screen recording, access to files and even remote administrative control over the infected system. It’s a second-stage payload malware that was being delivered using a fake version of the Kavach two-factor app used by Indian government agencies to provide secure access to email services.
The malicious app presents a genuine login page, but as the user interacts with the page, the infectious payload is downloaded in the background and attempts to compromise the system. The infections tarts off from an ELF malware sample — a Python executable that’s designed to fetch and install the Poseidon payload from a remote server.
As for the fake Kavach apps, they’re mostly distributed via fake phishing websites impersonating Indian government agencies. Additionally, Uptycs researchers discovered that the attack infrastructure used in the campaign, including malicious domains, is linked to earlier Transparent Tribe campaigns as well.
Overall, the consequences of such an attack can be rather severe. Additionally, since Transparent Tribe, also tracked as APT-36 is considered state-sponsored, it can directly escalate tensions between the two countries that have already had a long history of disputes.
APT-36 itself is known to have exploited various platforms, including Windows and Android in the past using fake websites and documents impersonating legitimate government organisations to trick users into either giving up their credentials or compromising their systems. That said, the discovery of Linux malware suggests the group is getting more capable and extending its attack surface. The group was previously also known for developing the Crimson RAT (remote access trojan) for cyber espionage operations.