Post

Operation Ghazwa: Disecting APT36's RAT

Posted Updated
By 0xSec
4 min read
Operation Ghazwa: Disecting APT36's RAT

Overview

Operation C-Major aka: APT 36, APT36, C-Major, COPPER FIELDSTONE, Earth Karkaddan, Green Havildar, Mythic Leopard, ProjectM, Storm-0156, TMP.Lapis, Transparent Tribe

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.

Technical Analysis

After getting apk file I staright jumped to AndroidManifest.xml to see what permissions were declared in it and I came through some permissions like ACCESS_FINE_LOCATION, READ_MEDIA_AUDIO/IMAGES/VIDEO, read and write permissions for storage, access to camera, reading contacts and call logs, FOREGROUND_SERVICE permission with location, camera, microphone and even capture screen contents FOREGROUND_SERVICE_MEDIA_PROJECTION so that it can spy on victim even when phone is in sleep mode by running continously in background and for that it also asks for permissions to IGNORE_BATTERY_OPTIMIZATIONS. So, it is basically a RAT from this basic overview, and this apk is being shipped as com.ghazwa.updates.

perm Figure 1: Dangerous Permissions

SYSINFO is Deivce fingerprinting and recon module that is responsible for getting information about the device like build version, IP, network information, device name, IMEI numbers, country code, operator name, SIM country code, serial number of SIM. Similar to what I have analzed in AndroRAT.

sysinfo Figure 2: Device fingerprinting and Recon

In SEITTING, and yes its SEITTING(typo :)) I found the C2 configurations including web url https[:]//itcstore.org/blog/ghazwa_news[.]php, server IP 93.127.136.237 and they somewhat tried to encode it with _ and then replacing it with "" when executed and server port 18525, version of S.M.0.3 didn’t know what’s this version number. And it stores notifications and logs in different paths _DERTDFI, _DERTOG_.

config Figure 3: C2 Config and settings

SMLIST module sweeps through the android system SMS database and extracts all the messages and stores them with certain column "_id", "thread_id", "address", "person", "date", "read", "body", "type" it also tries to steal the contact photo and sends these messages in batch of 10 messages but there is a flaw while it extracts the photo of contact it has to use the Contact ID for that but its using ID of messages so mostly times the next block input will be null and its rare that it will find the photo.

sms Figure 4: SMS Exfiltration module

WEBVIEW module loads a url in app which we found earlier in C2 config, and it loads a web page of Ghazwa-e-hind propoganda, and they tried to use a legitimate name of ITC for publishing it.

webview Figure 5: Loads a WEB url for their propoganda

CONTLIST exfiltrates victims contact list from starred contacts to whom he/she talked recently which can be further used for phising attempts and tries to attack other users of contact list, it even logs timestamp of call logs and sends these logs in batch of 10 contacts back to C2 server.

contact Figure 6: Exfiltrates Victim’s contact list

GPSSERV modules gets the location of victim including GPS as well as network location, and in case the location of user gets changed it logs it too and sends the new location back to the attacker.

location Figure 7: Exfiltrates Victim’s Location GPS and Network

ADSFEAM is the mic recording module, now victim’s device acts as a bug that captures real time audio and sends to attacker. It continously reads audio chunks from mic to a buffer and add those raw bytes to a queue.

audio Figure 8: Records audio using mic

DIRLIST module is responsible for all operation related to directories from read, writing to viewing, it can add files to storage, gets the information of a file, recursively view all the directories and files and sends those logs back to C2.

dir Figure 9: All operations regarding directory and file

Now the main module which combines all above independent modules together is MEATIER which handles everything I found above with additional getting commands from C2 server, it exfiltrates notifications and can even send a custom notification, can capture screen, captures video from both camera using PHOSERV modules.

noti Figure 10: Combines all modules together

IOCs

  • Web URL: https[:]//itcstore.org/blog/ghazwa_news[.]php
  • C2 IP: 93.127.136.237
  • C2 PORT: 18585
  • Package: com.ghazwa.updates

Rule

I used this rule against classes3.dex.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

rule APT36_RAT_Ghazwa {
    meta:
        description = "Detects APT36 RAT for Android (Ghazwa)"
        author = "0xSec"
        date = "2026-02-11"
        threat_actor = "Transparent Tribe (APT36)"

    strings:
        
        $class1 = "Lcom/ghazwa/updates/MEATIER;" ascii
        $class2 = "Lcom/ghazwa/updates/SEITING;" ascii
        $class3 = "Lcom/ghazwa/updates/ADSFEAM;" ascii
        $class4 = "Lcom/ghazwa/updates/SMLISTS;" ascii
        $class5 = "Lcom/ghazwa/updates/GPSSERV;" ascii
        $class6 = "Lcom/ghazwa/updates/PHOSERV;" ascii
        $class7 = "Lcom/ghazwa/updates/SYSINFO;" ascii

        $tag1 = "smxslg=" ascii
        $tag2 = "coxnta=" ascii
        $tag3 = "exxcep=" ascii
        $tag4 = "anxotifi=" ascii
        $tag5 = "chxkperm=" ascii
        $tag6 = "lgxps=" ascii
        $tag7 = "lnxtwok=" ascii
        $tag8 = "fixle=" ascii

        $config1 = "9_3.12_7.13_6._237" ascii
        $config2 = "https://itcstore.org/blog/ghazwa_news.php" ascii 
        $config3 = "S.M.0.3" ascii            

    condition:
        1 of ($class*) and (1 of ($tag*) or 1 of ($config*))
}
Malware
malware android apt36
This post is licensed under CC BY 4.0 by the author.