The advanced persistent threat (APT) group known as Transparent Tribe is expanding the types of malware in its arsenal and its victimology in a slew of attacks that hone in on Windows devices.
The group (also known as APT36 and Mythic Leopard), known for its campaigns centered around information theft and espionage, has been around since 2013 and has historically targeted primarily Indian military and defense personnel with the CrimsonRAT malware.
However, new Thursday research by Cisco Talos researchers shed light on how the group continues evolving several parts of its attack vector, including expanding its victimology and making its lures more targeted. And the group is also now deploying the ObliqueRAT malware in addition to CrimsonRAT, indicating an evolution of its toolset.
“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” said Asheer Malhotra, Justin Thattil and Kendall McKay, researchers with Cisco Talos, on Thursday. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”
Researchers observed various malicious documents distributing the malware as part of Transparent Tribe campaigns. It remains unclear how the maldocs are delivered to victims, said researchers, but they suspect they were likely sent as attachments via phishing emails, based on the threat actor’s previous behaviors and the targeted nature of the lure. For instance, earlier campaigns would deliver phishing maldocs to victims, which contained malicious VBA macros that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc.
In these more recent campaigns, researchers also noted that the attackers took extra steps to ensure that their attack chain appeared more legitimate, by hosting their malicious payloads on compromised websites (rather than embedding the malware directly in the document), for instance. In order to initially compromise organizations, researchers said the group uses fake domains that both mimic legitimate Indian military and defense organizations, as well as malicious domains that mimic content-hosting and file-sharing websites, such as drivestransfer[.]com and file-attachment[.]com.
In one instance, researchers uncovered a fake domain registered by the attackers, masquerading as a website for the Center For Land Warfare Studies (CLAWS), which is an India-based think tank covering national security and military issues (the fake domain is clawsindia[.]com, while the real domain is claws[.]in). In another attack earlier this year, the attackers compromised the Indian Industries Association’s legitimate website in order to host malicious artifacts for the ObliqueRAT infections.
“While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”
These maldocs reflect how the lures for the attacks have shifted as well. While attackers used more generic themes - such as popular news topics - since 2019, starting in mid-2020 they started primarily distributing military-themed maldocs, which masqueraded as logistical or operational documents. For instance, one maldoc was disguised as a health advisory on COVID-19 procedures for defense training establishments.
“These examples highlight Transparent Tribe’s heavy reliance on social engineering as a core TTP and the group’s efforts to make their operations appear as legitimate as possible,” said researchers.
While the attackers are still primarily targeting military and defense personnel, they have also expanded their victimology to include an array of other organizations, including diplomatic entities, defense contractors, research organizations and conference attendees. One maldoc for instance purported to be an agenda for a dialogue series by the Heart of Asia Society 2020, leading researchers to believe that attackers were targeting the attendees of this conference.
Transparent Tribe has also expanded the breadth of the malware that they are delivering. While CrimsonRAT has been a staple implant for the group, “since 2020 the attackers have focused on diversifying their malware arsenal and infection tactics,” said Malhotra.
CrimsonRAT, a prolific malware family that is written in .NET, can be utilized by attackers to steal credentials from browsers, capture screenshots, collect antivirus software information and list the running processes, drives and directories from victim machines. ObliqueRAT meanwhile is a remote access trojan with known activity dating back to November 2019, which once downloaded exfiltrates various information including system data, a list of drives and a list of running processes. Campaigns previously spreading ObliqueRAT have also utilized steganography by hiding the payload in seemingly benign image files hosted on compromised websites.
Malhotra said that the introduction of ObliqueRAT into the threat group’s arsenal has given it an opportunity to constantly evolve and “become more and more lethal.”
Moving forward, Malhotra believes that the group will continue to target military and government entities based on political and strategic motivations - as well as continually evolve its implants, stealth mechanisms and social engineering tactics to infect high-value victims.
“Based on our findings, Transparent Tribe’s tactics, techniques, and procedures (TTPs) have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit,” said researchers. “The variety of maldoc lures Transparent Tribe employs indicates that the group continues to rely on social engineering as a core component of its operations.”