Transparent Tribes, an advanced persistent threat (APT) group, is an extremely prolific hacker body. Considered to be active since at least 2013, the body is also known as PROJECTM and MYTHIC LEOPARD. In the previous attack, the group was associated with the IP addresses from Pakistan.
With its agenda of continuously conducting cyber-espionage campaigns aimed at the military and diplomatic entities worldwide, the threat entity’s malware reflects its relentless efforts to expand and update its spyware toolset for future operations.
Previously, the threat group has been linked to cyber-espionage against the Afghanistan government. More recently, the Transparent Tribe APT group has switched its focus towards the Indian military. It also appears that the threat actor may have links with Pakistan.
Based on historical research data, the group primarily uses a malware known as Crimson RAT for effective cyber espionage, as well as other custom .NET malware, including a Python-based RAT known as Peppy. Typically, the infection vector is a spear-phishing email with an attached malicious document that leads to the easy installation of payload files.
Recently, the Cyble Research team spotted a new variant of the Crimson RAT in the wild, and the campaign possibly leverages spear-phishing as the initial infection vector with the following link to deliver payload.
hxxps://email[.]gov[.]in[.]attachment[.]drive[.]servicesmail[.]site/files/Coast Guard HQ 10[.]rar
Upon closer inspection, the Whois information of the source domain pointed to a location in Atlanta, USA.
The actual file inside the RAR archive is a malicious executable compiled with a pdf icon and a .NET which effectively delivers the Crimson RAT on the victim machine, as shown below. Interestingly, the compilation time of the recent file shows a future date and time.
We suspect that this may be an error and is supposed to be dated as 2018-05-10.
Upon execution, a Coast Guard HQ 10.exe file shows embedded pdf files containing the telephone directory of the Coast guard region (NW), as shown in the image below.
In the background, it drops an additional payload file called “rvlrarhsma.exe” in the following path- C:\ProgramData\Rellhars and executes it.
The payload file information is as follows:
Next, the Crimson RAT employs a Run registry persistence so that the malware gets loaded on every reboot, as demonstrated below.
The Crimson RAT is able to perform various spyware functions with improved data exfiltration capabilities, some of which are mentioned below.
- Managing remote file systems
- Uploading or downloading files
- Capturing screenshots
- Performing audio surveillance using microphones
- Recording video streams from webcam devices
- Stealing files from removable media
- Executing arbitrary commands
- Recording keystrokes
- Stealing passwords saved in browsers
- Spreading across systems by infecting removable media
- Using server-side components to manage infected client machines
A screen capture module of the Crimson RAT is as shown in the image below.
The data theft procedure lists all files stored in the device to find interested files and sends it to the C2 server. The list of directories scanned to get interested files are highlighted below.
We have also observed hardcoded network ports and a list of numbers that are used to derive dynamic IP’s of C2 server in Crimson RAT, as depicted below.
As seen in the previous attacks, a USBworm component is also present. The USBworm has the ability to steal files from removable drives, besides spreading across systems by infecting removable media. The diagram below shows the module used to save USBworm component from C2 server.
Transparent Tribes APT groups continues to target multiple regions, typically including the Indian military and government personnel. The infamous hacker group is also known to be engaged in continuous efforts to keep its malware tools and techniques evolved and upgraded to suit the nature of any cyber attack.
Cyble Research team is continuously monitoring to harvest indicator/TTP’s of Emerging APT’s in the wild to ensure that the targeted organizations are well informed and protected proactively.
List of IOC’s:
Source URL: hxxps[:]//email.gov.in.attachment.drive.servicesmail.site/files/Coast%20Guard%20HQ%2010.rar
ba1b8f8880d2cfd9795f9cdbac72de11– Coast Guard HQ 10.rar
C2 Domain’s/IP’s: 220.127.116.11:8761 – Crimson C2
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.