Elizarat

ElizaRAT, a malicious software first discovered in 2023, has been continuously tracked and analyzed by Check Point Research due to its persistent use in targeted cyberattacks. The malware is deployed by Transparent Tribe (also known as APT36), a cyber espionage group attributed to Pakistan, primarily against high-profile entities in India. ElizaRAT has evolved significantly over time, enhancing its evasion techniques and maintaining reliable command and control (C2) communication. This evolution reflects APT36's deliberate efforts to improve their malware for better detection evasion and effective targeting. The malware systematically abuses cloud-based services such as Telegram, Google Drive, and Slack for facilitating its C2 communications. It is often initiated by Windows Control Panel (CPL) files distributed through Google Storage links, presumably via phishing attempts. Over three campaigns from late 2023 to early 2024, the attackers used different variants of ElizaRAT to download specific second-stage payloads that automatically collect information. By the end of 2023, it became evident that ElizaRAT's execution methods, detection evasion, and C2 communication had all significantly evolved. The latest version of ElizaRAT, called Circle ElizaRAT, introduces a new stealer payload, ApoloStealer, on specific targets, marking a significant expansion of APT36’s malware arsenal. This development suggests that the group is adopting a more flexible, modular approach to payload deployment. What sets this iteration apart from previous versions is its continuous use of cloud services like Google Cloud for C2 communication. As of now, Check Point Research continues to monitor the activities of ElizaRAT closely, given its potential for significant disruption and damage.