Recently, Cisco Talos discovered that the Transparent Tribe APT group is engaged in an ongoing malicious campaign. APT hackers from Pakistan have carried out a malicious campaign against several educational institutions located throughout India in order to inflict harm on students.
In this ongoing active campaign, the APT is also targeting civilian users within its victim network. There is no doubt that the APT network is expanding as a result of its activities.
In order to accomplish their goals, and target the government and pseudo-government entities this APT group uses RATs like:-
- CrimsonRAT
- ObliqueRAT
- CapraRAT
Apart from the Transparent Tribe actor, this group is also known by other names like:-
- APT36
- Operation C-Major
- PROJECTM
- Mythic Leopard
In May 2022, India’s K7 Labs first observed that a targeted attack on educational institutions and students had been conducted. In addition, one of the most likely suspects of APTs is a Pakistani hosting firm, “ZainHosting”, which has been estimated with high certainty to be dealing with the APTs.
By using this, Transparent Tribe was able to deploy and operate the infrastructure system that they used to transmit this campaign of their own.
APT profile
- Group Name: Transparent Tribe
- Group Origin: Pakistan
- Target: Governments and military personnel in the Indian and Afghanistan
- Implants Used: CrimsonRAT, ObliqueRAT, CapraRAT
Infection chain
In spear-phishing attacks, a malicious document is delivered as an attachment to the target or a link to a remote location as part of an email that contains a maldoc.
In previous Transparent Tribe campaigns, malicious VBA macros were used as part of the maldocs. A macro is included in the maldoc that extracts an embedded archive file.
Then it unzips the file in order to be able to execute the malware included within it. This file contains an archive containing malware called CrimsonRAT.
There are a few names the CrimsonRAT might be known by, namely:-
- SEEDOOR
- Scarimson
When it comes to threat actors, CrimsonRAT serves as the staple implant of choice when determining which implant to use. This technique is used by attackers to obtain long-term access to victim networks and to transmit important data of interest from the victim network to a remote server that is under the control of threat actors.
In order to gain remote control over the machine infected by this malware, the attackers need to exploit its modular architecture. After getting control of the infected machine, the attackers can perform the following illicit activities:-
- Steal browser credentials
- Record keystrokes
- Capture screenshots
- Execute arbitrary commands
Throughout the Indian subcontinent, Transparent Tribe has been aggressively stretching to expand its haul of victims by expanding its distribution channels.
Apart from this, they’re now targeting civilians, especially people associated with educational institutions, in their new campaign. As a result of these highly motivated adversaries, organizations must remain vigilant against them as their strategies change rapidly as a result of the changing environment.
The best results in the prevention of cyber attacks can be achieved through comprehensive defense strategies based on risk analysis approaches.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.
