ElizaRAT: Prevention, Mitigation & Recovery

ElizaRAT is a remote access trojan controlled by APT36, AKA Transparent Tribe. ElizaRAT has been used to target several high-profile entities in India and is most commonly distributed through phishing campaigns. Check Point has traced the distribution channels of ElizaRAT to Google, Slack, and Telegram primarily.

Request a Demo Read the 2025 Security Report

Quick Overview of ElizaRAT

ElizaRAT was first discovered in September of 2023 but has since evolved in scope and complexity.

Recent research demonstrates that early campaigns used a distinct ElizaRAT variant to those that are currently circulating. Written in .NET, ElizaRAT executes commands through Control Panel (.CPL) files. ElizaRAT aims to infect devices that belong to:

  • High-profile businesses
  • Government officials
  • Those in the defense and education sectors

In the vast majority of cases, the Telegram API is used for C2 communication. However, another prominent variant is stored as a Google Drive link, with file binaries ranging from around 4MB to 16MB.

How ElizaRAT Operates

There are four central phases that ElizaRAT moves through:

  1. Phishing and Infection: The initial infection of a device with ElizaRAT comes from phishing emails, with the RAT then downloading second-stage payloads to further infect the system and detect valuable data.
  2. Command-and-Control (C2): Malicious actors will use C2 to establish a line of communication with the infected device and begin to issue commands.
  3. Data Theft: Malicious actors will exfiltrate valuable data from company systems or from individual accounts, stealing credentials, financial details, or sensitive information.
  4. Obfuscation: ElizaRAT aims to stay active in infected systems for as long as possible. To achieve this, it deploys several self-modification and obfuscation tactics to remain hidden for as long as possible.

Campaign Connections

Transparent Tribe has launched several campaigns that make use of ElizaRAT over the past few years.

Slack Campaign

The first of these was a variant that primarily used Slack channels for C2 communication. This version was fortified by the additional deployment of the ApolloStealer payload. This version was then replaced by a new tactic, where APT36 would use a dropper to download and unpack compressed files that contained a new version of the ElizaRAT remote access trojan.

Google Drive Campaign

More recently, a campaign that uses Google Drive has been traced. This version utilizes malicious CPL files to drop ElizaRAT onto devices. Once within the data architecture, the trojan can construct a victim ID and establish a connection with the C2 server.

This most recent version also includes a USB stealer that can detect any external hard drives attached to a device and exfiltrate data from those.

Potential Payloads

While the main purpose of ElizaRAT is to exfiltrate data, its C2 connection means that it can execute a number of different payloads depending on the intentions of the malicious actor.

For example, ElizaRAT could deploy:

  • Spyware that takes screenshots of sensitive information and transfers it to a malicious actor.
  • Keyloggers that record account logins and passwords.
  • Ransomware to encrypt devices and leverage them to extort companies for money.

Especially considering that Transparent Tribe frequently targets high-value sectors and businesses, their ability to execute multiple payloads depending on the scenario is unsettling.

Who is Affected: Demographics & Geographic Distribution

The vast majority of cases that contain ElizaRAT are located within India. The Pakistani group APT36 has used this trojan to infiltrate government, military, and high-power enterprises within India, either holding documents for ransom or exfiltrating them for other purposes.

The recent ApolloStealer version of ElizaRAT allows malicious actors to more precisely comb through systems when searching for specific files, allowing the group to cause more severe problems for affected agencies.

The Most Effective Defensive Measures

There are a number of defensive measures that businesses can take to protect against ElizaRAT and other forms of malware:

  • Employ Endpoint Security: Endpoint security will actively monitor your devices and look for any irregularities. Constant vigilance over your endpoints will help to detect suspicious files and block them from downloading onto your device.
  • Teach Effective Cybersecurity Awareness: Like most malware, ElizaRAT typically arrives on a device due to a phishing email. By teaching employees what to look out for, you’ll be able to reduce the number of cyber events your company has.
  • Integrate Email Monitoring Tools: Implementing robust cyber tools that comb through emails before they enter an employee’s inbox can help to detect phishing scams before they arrive.

Top 3 Malware Removal Strategies

While preventing malware from entering a business ecosystem in the first place is always preferable, there may come a time when companies need to extract and remove malware that is living within their systems.

Here are a few strategies that you can use to remove malware:

  1. Isolate Your Systems: By isolating a device that has malware on it by disconnecting it from the wider system, you limit the access malware has. You can then work to remove malware from that device.
  2. Restore to Earlier Backups: One of the most effective ways to remove malware is to revert your systems to a previous version. While this will remove malware, you will also lose any changes to your company data since that period.
  3. Utilize Anti-Malware Tools: Leverage any anti-malware systems that your business has access to in order to scan and remove all traces of malware.

The earlier a company notices something wrong with their systems, the less time malicious actors will have to cause damage.

Protect Your Attack Surface with Check Point

The exfiltration of sensitive data is an extremely lucrative pursuit for malicious actors. Groups like APT36 will continuously work to improve their malware to:

  • Break into company systems
  • Locate valuable data
  • Exfiltrate it

Businesses need to constantly improve their existing cybersecurity systems to create robust and watertight defenses. Check Point offers Harmony Endpoint to monitor and protect digital devices across your company’s entire attack surface.

By identifying and neutralizing threats like ransomware, trojans, and malware before they become active, Harmony is able to offer an all-in-one protection solution for businesses. With extensive automation, Harmony Endpoint can work around the clock to keep your company safe. Get started today by requesting a demo.

Get Started

Cyber Security Report 

Harmony Endpoint Protection

Zero Trust Security

Advanced Network Threat Prevention

Related Topics

Remote Access Trojan

NanoCore RAT Malware

What is NJRat Malware?

Remcos Malware

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK