21.Globe RadiatingCode

A technical report published by Uptycs security earlier this week revealed that a Pakistan-based advanced persistent threat (APT) actor called Transparent Tube attempted to deliver a Linux backdoor malware dubbed Poseidon on Indian government agency systems using a fake two-factor authentication tool.

The Poseidon malware gives the operator a bunch of functionalities including keylogging, screen recording, access to files and even remote administrative control over the infected system. It’s a second-stage payload malware that was being delivered using a fake version of the Kavach two-factor app used by Indian government agencies to provide secure access to email services. 

The malicious app presents a genuine login page, but as the user interacts with the page, the infectious payload is downloaded in the background and attempts to compromise the system. The infections tarts off from an ELF malware sample — a Python executable that’s designed to fetch and install the Poseidon payload from a remote server. 

As for the fake Kavach apps, they’re mostly distributed via fake phishing websites impersonating Indian government agencies. Additionally, Uptycs researchers discovered that the attack infrastructure used in the campaign, including malicious domains, is linked to earlier Transparent Tribe campaigns as well.