The cybersecurity analysts at Zscaler ThreatLabz have recently detected a new malicious version of a multi-factor-authentication (MFA) solution, known as Kavach, which has been exploited by the threat actors of Transparent Tribe (aka APT-36, C-Major, and Mythic Leopard) actively to target the Indian government agencies.
To distribute the malicious versions of Kavach MFA apps, the threat actors at Transparent Tribe ran multiple malvertising campaigns by exploiting Google advertisements.
It is believed that the Pakistani government is responsible for the APT-36 group. Users primarily working in government agencies in India are the target audience for this group.
Attack Targeting Indian Government Orgs
Similarly, this APT group has used rogue websites that appear to be official government portals in an attempt to harvest passwords from oblivious users.
A recent attack chain by the threat actor has not been the first incident in which Kavach has been targeted by the threat actor.
For users of email addresses with “@gov[.]in” and “@nic[.]in” domains, the Kavach MFA app is a mandatory app that they have to use to sign in to the email service, since this app work as an extra layer of security.
In order to activate the killchain, they frequently mimic the legitimate government, military, and related institutions, and it’s one their most used tactics. The threat actor is conducting a campaign at the moment, and there is no exception to that.
Threat actors mimicked the official website of the Kavach application with the help of several domains and hosted web pages that the threat actors consistently registered.
Under the Kavach-related keywords that are actively searched in India, the threat actors push their fake websites to the top of search results by exploiting the paid search feature of Google Ads.
Here below we have highlighted a few top keywords that are targeted by threat actors in their campaigns:-
- Kavach download
- Kavach app
A typical promotion lasts for about one month for each website before the attacker bounces to the next one, and this process is repeated several times.
Various applications are available for download through certain third-party application stores controlled by this threat group.
The website operated by the threat actors acts as a gateway since it redirects users to the .NET-based fraudulent installer, and they do so by pushing their website to the top Google search results.
Security analysts have also observed the use of an undocumented data exfiltration tool, LimePad. The Kavach app’s login page is spoofed by a domain that is registered by the operators of Transparent Tribe.
The unique feature of this web page is that it is only accessible to Indian users with Indian IP addresses. While if you are not an Indian user and visit this fake page, then it will redirect you to India’s National Informatics Centre homepage.
The credentials seized through this page are sent to a remote server and later these stolen credentials are used by the threat actors to launch further attacks.
There have been additional tools added to this group’s arsenal as they continue to evolve their TTPs and tools. When downloading applications from certain places other than official stores, users should exert caution and make sure they know what they are downloading.