Recent malicious documents sent by Transparent Tribe, which appear to target institutions in the Indian education sector, reveal that the Pakistan-linked threat group is experimenting with new techniques to stage and obfuscate its malware.
Transparent Tribe (also known as APT36), known for its campaigns centered around information theft and espionage, has been around since 2013 and has historically targeted Indian military and defense personnel, primarily with the CrimsonRAT malware. This prolific malware family, written in .NET, can be utilized by attackers to steal credentials from browsers, capture screenshots, collect antivirus software information and list the running processes, drives and directories from victim machines.
While not very sophisticated, Transparent Tribe has continuously changed its operational strategy. Researchers at Cisco Talos last year found evidence of the group expanding its victimology beyond the defense sector, for instance, to target institutions and students in the Indian education industry.
“Transparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal, operational playbook, and targets,” said Aleksander Milenkoski, senior threat researcher with SentinelLabs, in a Thursday analysis. “Transparent Tribe’s constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group.”
Researchers observed Transparent Tribe distributing education-themed malicious documents, purporting to be related to student assignments, as attachments to phishing emails. These malicious documents pave the way for CrimsonRAT using both Microsoft Office macros and OLE embedding, where the legitimate Office object linking and embedding (OLE) functionality is misused to trick victims into downloading malicious content. CrimsonRAT is then executed, disguised as an update process.
"The use of OLE embedding for staging malware through malicious documents, an alternative technique to Office macros, may enhance the likelihood of success of this initial intrusion vector," said Milenkoski. "With this technique, users are not presented with the standard macro warning banner when opening a malicious document. They are lured instead into double-clicking a document element, which activates malicious code. In the campaign we analysed, this element is an image indicating that the document content is locked."
Researchers observed multiple CrimsonRAT variants with compilation timestamps between June and September 2022, reflecting the continuous development of the group’s implementation of the malware. These variants utilize various anti-analysis measures, such as delaying execution for a given time period. One CrimsonRAT variant was uncovered being obfuscated using the Eazfuscator obfuscator, while previous malware samples have been obfuscated via the Crypto obfuscator. This switch makes it more difficult for analysts and static detection mechanisms to keep up with the APT's tactics, said Milenkoski.
“Evidence suggests that the CrimsonRAT developers have patched the routine that evaluates the trial period of Eazfuscator to enable the execution of the malware after the trial period expires,” said Milenkoski.
The campaign is only the latest by Transparent Tribe, which in March was discovered distributing the Android CapraRAT backdoor via trojanized messaging and calling apps in order to exfiltrate sensitive data. The group has also made moves to expand the number of malware families that it leverages to include ReverseRAT and the ObliqueRAT Windows malware.