Apr 13, 2023Ravie Lakshmanan
The Transparent Tribe threat actor has been
linked to a set of weaponized Microsoft Office documents in attacks
targeting the Indian education sector using a continuously
maintained piece of malware called Crimson RAT.
While the suspected Pakistan-based threat group is known to
target military and government entities[1] in the country, the
activities have since expanded to include the education vertical[2].
The hacking group, also called APT36, Operation C-Major,
PROJECTM, and Mythic Leopard, has been active as far back as 2013.
Educational institutions have been at the receiving end of the
adversary’s attacks since late 2021.
“Crimson RAT is a consistent[3]
staple[4]
in the group’s malware arsenal[5]
the adversary uses in its campaigns,” SentinelOne researcher
Aleksandar Milenkoski said[6]
in a report shared with The Hacker News.
The malware has the functionality to exfiltrate files and system
data to an actor-controlled server. It’s also built with the
ability to capture screenshots, terminate running processes, and
download and execute additional payloads to log keystrokes and
steal browser credentials.
Last month, ESET attributed Transparent Tribe to a cyber espionage campaign[7] aimed at infecting
Indian and Pakistani Android users with a backdoor called
CapraRAT.
An analysis of Crimson RAT samples has revealed the presence of
the word “Wibemax,” corroborating a previous report[8]
from Fortinet. While the name matches that of a Pakistani software
development company, it’s not immediately clear if it shares any
direct connection to the threat actor.
That said, it bears noting that Transparent Tribe has in the
past leveraged infrastructure operated by a web hosting provider
called Zain Hosting[9]
in attacks targeting the Indian education sector.
The documents analyzed by SentinelOne bear education-themed
content and names like assignment or Assignment-no-10, and make use
of malicious macro code to launch the Crimson RAT. Another method
concerns the use of OLE embedding to stage the malware.
UPCOMING WEBINAR
Learn to Secure the Identity Perimeter – Proven Strategies
Improve your business security with our upcoming expert-led
cybersecurity webinar: Explore Identity Perimeter strategies!
Don’t Miss Out – Save Your Seat![10]
“Malicious documents that implement this technique require users
to double-click a document element,” Milenkoski explained. “These
documents distributed by Transparent Tribe typically display an
image (a ‘View Document’ graphic) indicating that the document
content is locked.”
This, in turn, tricks users into double-clicking the graphic to
view the content, thereby activating an OLE package that stores and
executes the Crimson RAT, masquerading as an update process.
Crimson RAT variants have also been observed to delay their
execution for a specific time period spanning anywhere between a
minute and four minutes, not to mention implement different
obfuscation techniques using tools like Crypto Obfuscator and
Eazfuscator.
“Transparent Tribe is a highly motivated and persistent threat
actor that regularly updates its malware arsenal, operational
playbook, and target,” Milenkoski said. “Transparent Tribe’s
constantly changing operational and targeting strategies require
constant vigilance to mitigate the threat posed by the group.”
Found this article interesting? Follow us on Twitter [11] and LinkedIn[12] to read more exclusive
content we post.
References
- ^
military
and government entities (thehackernews.com) - ^
education vertical
(thehackernews.com) - ^
consistent
(www.malwarebytes.com) - ^
staple
(www.zscaler.de) - ^
malware
arsenal (blog.cyble.com) - ^
said
(www.sentinelone.com) - ^
cyber
espionage campaign (thehackernews.com) - ^
previous
report (community.fortinet.com) - ^
Zain
Hosting (thehackernews.com) - ^
Don’t
Miss Out – Save Your Seat! (thehacker.news) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/04/pakistan-based-transparent-tribe.html
