views
The hacking group called Transparent Tribe is back with a fresh malware arsenal and a victim list that includes targets like India’s government and military, says a report. The advanced persistent threat (APT) organisation has been active in about 30 nations since at least 2013. The APT, on the other hand, prefers to concentrate on India and Afghanistan, with the exception of attacks on human rights activists in Pakistan.
Cybersecurity experts use the labels PROJECTM, APT36, and Mythic Leopard to monitor Transparent Tribe, which is suspected to be of Pakistani origin.
Kaspersky, the Russia-based cybersecurity company which has found itself in the middle of a geopolitical fight amid the Ukraine crisis, discovered in 2020 that the APT was behind persistent cyberattacks against government and military employees.
At the time, Trojans, backdoors, and a propagation tool called USBWorm were utilised, which stealthily copied dangerous code to detachable drives.
Transparent Tribe’s activities have been updated by Cisco Talos. In a blog post published this week, cybersecurity experts Asheer Malhotra, Justin Thattil, and Kendall McKay claimed that the Indian government and military had been targets of a campaign that has been continuing since at least June 2021.
In terms of modus operandi, Transparent Tribe distributes its malware, which is largely Windows-based, through phishing and rogue web domains. The false websites used to send payloads are designed to look like government or defence institutions, and they will serve visitors downloader executables disguised as friendly software, image files, or PDFs.
While previous themes have included Covid-19, the APT keeps up with the times and adapts to changing trends. A phoney version of Kavach, a multi-factor authentication (MFA) application, was included in the most recent samples, which were deployed in 2022.
However, the actual Kavach app is widely utilised by India’s military for accessing government resources, according to Talos.
It was found that when APT’s target runs the fake .NET programme, it installs a real version of the app coupled with a malware dropper. The second version of this infection vector, however, may raise suspicions because it pulls the full MSI installer for Kavach – a 141MB package.
According to Talos, malicious payloads are downloaded and executed, including the Remote Access Trojan (RAT) CrimsonRAT.
Since 2020, the .NET RAT has been regarded as APT’s “malware of choice” that is capable of extensive data theft and surveillance.
As per Talos, “Based on our analysis of Transparent Tribe operations over the last year, the group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims.”
The group’s current toolkit includes the long-running ObliqueRAT malware, a new Python-based stager for deploying NET-based spyware and other Trojans, and a new .NET implant for executing arbitrary code.
According to Talos, the new additions are quickly deployable malicious tools and RATs. When smaller payloads are used, it appears that threat actors accept their more limited capabilities as a trade-off when compared to CrimsonRAT and ObliqueRAT.
Furthermore, Transparent Tribe has not shied away from using mobile technologies in its search for new victims. CapraRAT is a tool that is constantly being developed with one goal and that is—stealing data from handsets.
“This campaign furthers this targeting and their central goal of establishing long-term access for espionage. The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT,” the report by Talos noted.
“They have continued the use of fake domains masquerading as government and quasi-government entities, as well as the use of generically themed content-hosting domains to host malware. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets,” it added.
Read all the Latest Tech News and Breaking News here
Comments
0 comment