APTs Escalate Identity-Based Attacks

APT36, also known as Transparent Tribe, is leveraging an AI-assisted development model to mass-produce malware implants, a tactic dubbed "vibeware." This approach prioritizes overwhelming defenses with a high volume of disposable, logically flawed yet functional, polyglot binaries written in niche languages like Nim, Zig, and Crystal to evade common detection signatures. Initial access for Vibeware often relies on phishing emails containing malicious links or attachments like ZIP archives and ISO images with embedded LNK files. These campaigns show a consistent focus on Indian government, military, and diplomatic entities, with lures often tailored to regional politics and national security interests. To conceal command-and-control traffic, APT36 abuses legitimate cloud services such as Discord, Google Sheets, and Slack. The Iran-nexus group Dust Specter employs a multi-stage malware toolkit against Iraqi government officials, initiated by impersonating the Iraqi Ministry of Foreign Affairs. Their attack chain utilizes previously undocumented malware including the .NET-based dropper SPLITDROP, which in turn deploys TWINTASK and the C2 orchestrator TWINTALK. Dust Specter's malware exhibits sophisticated evasion techniques, including using compromised Iraqi government infrastructure to host payloads, geofencing, and User-Agent verification for C2 communications. Fingerprints in the codebase, such as embedded emojis and unusual Unicode text, suggest the use of generative AI in the development of tools like TWINTALK and GHOSTFORM, a more consolidated RAT. For a Splunk Engineer, detecting these identity-focused threats requires correlating multiple data sources. Ingesting email security gateway logs is crucial for identifying initial phishing attempts. A baseline Splunk query could be `index=email subject IN ("*password*", "*urgent*") OR attachment IN ("*.exe", "*.zip", "*.iso", "*.lnk") | stats count by sender, recipient, subject`. This can be refined by correlating with threat intelligence feeds and looking for emails from newly observed domains. Monitoring for living-off-the-land techniques is critical, as both groups utilize legitimate processes. Splunk's "Living Off The Land" Analytic Story within Enterprise Security provides pre-built detections for the abuse of native utilities. Specifically, monitoring process creation events (EventCode=4688 on Windows) for unusual parent-child relationships, such as `winword.exe` spawning `powershell.exe`, is a key detection strategy. A sample query could be `index=winevents EventCode=4688 | stats values(ParentProcessName) as Parent, values(NewProcessName) as Child by host | where (Parent="winword.exe" AND Child="powershell.exe")`. These detection activities directly support the DoD Zero Trust "User" pillar, which mandates the continuous verification of user identities and privileges. By creating Splunk dashboards that visualize authentication patterns, remote access activity, and data access requests per user via the Identity Investigator dashboard, engineers can establish a baseline of normal behavior. Alerts can then be configured for deviations from this baseline, such as logins from unusual geolocations or access to sensitive data outside of normal working hours, satisfying the Zero Trust principle of "never trust, always verify."