ElizaRAT is a sophisticated Windows RAT used by the threat actor group known as Transparent Tribe or APT36, says Dr Shekhar Pawar.

A Remote Access Tool (RAT) is a type of software that allows users to remotely control and access devices, servers, and networks. This can be used for legitimate purposes, such as IT administrators troubleshooting issues on client computers without needing to be physically present. However, when used maliciously, it is often referred to as a Remote Access Trojan (RAT). Cybercriminals use these to gain unauthorised access to a user's system, allowing them to control the mouse and keyboard, access files, and monitor network activity.

ElizaRAT is a sophisticated Windows RAT used by the threat actor group known as Transparent Tribe or APT36. According to sources, this group is based in Pakistan. This cyber espionage group has been active since at least 2013 primarily targeting India and Afghanistan. It has been targeting Indian government organisations, diplomatic personnel, and military facilities.

First disclosed in September 2023, ElizaRAT has evolved significantly. It typically spreads through phishing emails containing malicious Control Panel (.CPL) files hosted on cloud services like Google Storage. The malware uses various cloud-based services such as Telegram, Google Drive, and Slack for command and control (C2) communications. ElizaRAT is known for its advanced evasion techniques and ability to maintain reliable C2 communication. It often drops decoy documents or videos to distract the user while it collects and exfiltrates data. Recent campaigns have shown continuous enhancements in its capabilities, including the introduction of a new stealer payload called "ApoloStealer".

There were three notable campaigns performed by this hacking group against India. During the first campaign, the hackers used Slack channels for command and control and introduced a new tool, ApoloStealer, which collects and exfiltrates desktop files. The second campaign, "Circle," launched in January 2024, featured enhanced detection evasion and relied on virtual private servers for communication, shifting away from cloud services. The third campaign used Google Drive for command and control while deploying specialised data-stealing payloads. ElizaRAT typically spreads via executable files linked to Google Storage, likely distributed through phishing attacks.

Why is ElizaRAT considered dangerous?

ElizaRAT has the ability to hide and perform malicious activities, as by combining different methods, it effectively evades many traditional detection mechanisms, making it a persistent threat. Below are few of its techniques:

1. Use of Cloud Services: By leveraging widely used cloud services like Google Drive, Telegram, and Slack for command and control (C2) communications, ElizaRAT blends its malicious traffic with legitimate network traffic, making it harder for security tools to detect.

2. Control Panel (.CPL) Files: ElizaRAT often spreads through malicious Control Panel files, which can be less scrutinised by antivirus programs compared to more common executable files.

3. Decoy Documents: The malware drops decoy documents or videos to distract the user while it operates in the background, reducing the likelihood of immediate detection.

4. Embedding Techniques: ElizaRAT uses techniques like embedding .NET and assembly modules within its payloads using tools like Costura, which can help it avoid detection by traditional signature-based antivirus software.

5. Local Data Storage: It uses SQLite databases to store collected data locally before exfiltration, which can help it avoid detection by network-based security tools.

6. Regular Updates: The malware is frequently updated with new variants and techniques, making it a moving target for antivirus software that relies on known signatures.

How to detect ElizaRAT?

1. Antivirus and Anti-Malware Scans: Use reputable antivirus and anti-malware software to perform a full system scan. Ensure your software is up-to-date to detect the latest threats.

2. Check for Unusual Activity: Monitor your system for unusual behavior such as unexpected network traffic, high CPU usage, or unknown processes running in the background.

3. Inspect Control Panel Files: Since ElizaRAT often uses malicious Control Panel (.CPL) files, check for any suspicious .CPL files in your system directories.

4. Network Monitoring: Use network monitoring tools to detect unusual outbound connections, especially to cloud services like Google Drive, Telegram, or Slack, which ElizaRAT uses for command and control (C2) communications.

5. Review Startup Items: Check your system’s startup items for any unfamiliar entries. ElizaRAT may create shortcuts or use scripts to ensure it runs on startup.

How to remove ElizaRAT?

1. Quarantine and Delete: If your antivirus software detects ElizaRAT, follow the prompts to quarantine and delete the infected files.

2. Manual Removal:

   (i) Identify and Delete Malicious Files: Locate and delete any suspicious .CPL files or other malware-related files identified during the detection phase.

   (ii) Remove Registry Entries: Use a registry editor to remove any registry entries created by ElizaRAT. Be cautious when editing the registry, as incorrect changes can harm your system.

3. Disconnect from the Network: Temporarily disconnect your system from the network to prevent further data exfiltration while you clean the infection.

4. Restore from Backup: If the infection is severe, consider restoring your system from a clean backup made before the infection occurred.

5. Reinstall Operating System: As a last resort, if the malware persists, you may need to perform a clean installation of your operating system. Ensure you back up important data before doing so.

Recommended activities to be perform Post-Removal of ElizaRAT:

1. Update All Software: Ensure all your software, including the operating system, is up-to-date to patch any vulnerability.

2. Change Passwords: Change all your passwords, especially if you suspect they may have been compromised.

3. Enable Multi-Factor Authentication (MFA): Use MFA for an added layer of security on your accounts.

4. Educate Yourself and Others: Stay informed about the latest cybersecurity threats and educate others to prevent future infections.

Protecting your system from ElizaRAT involves a combination of proactive measures and best practices as below:

1. Email Vigilance: Be cautious with emails from unknown senders, especially those containing attachments or links. ElizaRAT often spreads through phishing emails with malicious attachments.

2. Update Software: Regularly update your operating system, antivirus software, and all applications. This helps patch vulnerabilities that malware like ElizaRAT can exploit.

3. Use Antivirus and Anti-Malware Tools: Ensure you have reputable antivirus and anti-malware software installed and keep it updated. These tools can detect and block malicious files before they cause harm.

4. Enable Firewalls: Use a firewall to monitor incoming and outgoing network traffic. This can help block unauthorised access and suspicious activities.

5. Educate Yourself and Others: Awareness is key. Educate yourself and others about the signs of phishing and other social engineering attacks. This can significantly reduce the risk of falling victim to such tactics.

6. Regular Backups: Regularly backup important data to an external drive or cloud storage. This ensures you can recover your data in case of an infection.

7. Use Strong, Unique Passwords: Use strong, unique passwords for all your accounts and change them regularly. Consider using a password manager to keep track of them.

8. Monitor Network Activity: Keep an eye on your network activity for any unusual behavior. Tools like network monitoring software can help detect anomalies that might indicate a malware infection.

9. Implement Better Cybersecurity Posture: It is highly recommended to adopt existing cybersecurity standards or frameworks to protect its critical assets, including information. For example, according to the need, either ISO 27001, NIST, or even the BDSLCCI framework for MSME can help.

Dr Shekhar Pawar is a DBA in the cybersecurity domain at SSBM, Switzerland. He has completed his executive management degree from SJMSOM, IIT Bombay, and engineering in electronics and telecommunications from Mumbai University. Some of his skills and certifications include Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), ISO 27001 – Lead Auditor, PCI DSS Implementer, Diploma in Cyber Laws, Microsoft Certified Professional (MCP), Certified Blockchain Developer, Certified ATM for CMMi Assessment, DSP & Applications – IIT Madras, and Diploma in Industrial Electronics. He is also the author of the nonfiction book ‘Air Team Theory: Understanding 10 Types of Teammates and Best Practices to Succeed’. Currently he is working as Founder and CEO of SecureClaw Inc., USA, and GrassDew IT Solutions Pvt Ltd, Mumbai. 

______________________________________________________________________________________________

For a deeper dive into the dynamic world of Industrial Automation and Robotic Process Automation (RPA), explore our comprehensive collection of articles and news covering cutting-edge technologies, robotics, PLC programming, SCADA systems, and the latest advancements in the Industrial Automation realm. Uncover valuable insights and stay abreast of industry trends by delving into the rest of our articles on Industrial Automation and RPA at www.industrialautomationindia.in