The advanced persistent threat (APT) group known as
Transparent Tribe has been attributed to a new ongoing
phishing campaign targeting students at various educational
institutions in India at least since December 2021.
“This new campaign also suggests that the APT is actively
expanding its network of victims to include civilian users,” Cisco
Talos said[1]
in a report shared with The Hacker News.
Also tracked under the monikers APT36, Operation C-Major,
PROJECTM, Mythic Leopard, the Transparent Tribe actor is suspected[2]
to be of Pakistani origin and is known to strike government
entities and think tanks in India and Afghanistan with custom
malware such as CrimsonRAT, ObliqueRAT, and CapraRAT.
But the targeting of educational institutions and students,
first observed[3]
by India-based K7 Labs in May 2022, indicates a deviation from the
adversary’s typical focus.
“The latest targeting of the educational sector may align with
the strategic goals of espionage of the nation-state,” Cisco Talos
researchers told The Hacker News. “APTs will frequently target
individuals at universities and technical research organizations in
order to establish long term access to siphon off data related to
ongoing research projects.”
Attack chains documented by the cybersecurity firm involve
delivering a maldoc to the targets either as an attachment or a
link to a remote location via a spear-phishing email, ultimately
leading to the deployment of CrimsonRAT.
“This APT puts in a substantial effort towards social
engineering their victims into infecting themselves,” the
researchers said. “Transparent Tribes’ email lures try to appear as
legitimate as possible with pertinent content to convince the
targets into opening the maldocs or visiting the malicious links
provided.”
CrimsonRAT[4], also known as SEEDOOR
and Scarimson, functions[5]
as the staple implant of choice for the threat actor to establish
long-term access into victim networks as well as exfiltrate data of
interest to a remote server.
Courtesy of its modular architecture, the malware allows the
attackers to remotely control the infected machine, steal browser
credentials, record keystrokes, capture screenshots, and execute
arbitrary commands.
What’s more, a number of these decoy documents are said to be
hosted on education-themed domains (e.g., “studentsportal[.]co”)
that were registered as early as June 2021, with the infrastructure
operated by a Pakistani web hosting services provider named Zain
Hosting.
“The entire scope of Zain Hosting’s role in the Transparent
Tribe organization is still unknown,” the researchers noted. “This
is likely one of many third-parties Transparent Tribe employs to
prepare, stage and/or deploy components of their operation.”
References
Read more https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html