Trending

ee-track">
Link copied!

Transparent Tribe APT targets Indian Military

Transparent Tribes, an advanced persistent threat (APT) group, is an extremely prolific hacker body. Considered to be active since at least 2013, the body is also known as PROJECTM and MYTHIC LEOPARD. In the previous attack,…

October 12, 2020 · 4 min read

Transparent Tribes, an advanced persistent threat (APT) group, is an extremely prolific hacker body. Considered to be active since at least 2013, the body is also known as PROJECTM and MYTHIC LEOPARD. In the previous attack, the group was associated with the IP addresses from Pakistan.

With its agenda of continuously conducting cyber-espionage campaigns aimed at the military and diplomatic entities worldwide, the threat entity’s malware reflects its relentless efforts to expand and update its spyware toolset for future operations.

Previously, the threat group has been linked to cyber-espionage against the Afghanistan government. More recently, the Transparent Tribe APT group has switched its focus towards the Indian military. It also appears that the threat actor may have links with Pakistan.

Based on historical research data, the group primarily uses a malware known as Crimson RAT for effective cyber espionage, as well as other custom .NET malware, including a Python-based RAT known as Peppy. Typically, the infection vector is a spear-phishing email with an attached malicious document that leads to the easy installation of payload files.

Recently, the Cyble Research team spotted a new variant of the Crimson RAT in the wild, and the campaign possibly leverages spear-phishing as the initial infection vector with the following link to deliver payload.

hxxps://email[.]gov[.]in[.]attachment[.]drive[.]servicesmail[.]site/files/Coast Guard HQ 10[.]rar

Upon closer inspection, the Whois information of the source domain pointed to a location in Atlanta, USA.

image 5



  Figure1:Whois information of source URL

The actual file inside the RAR archive is a malicious executable compiled with a pdf icon and a .NET which effectively delivers the Crimson RAT on the victim machine, as shown below. Interestingly, the compilation time of the recent file shows a future date and time.

We suspect that this may be an error and is supposed to be dated as 2018-05-10.

image 6
image 7
Figure2: Crimson RAT main module

Upon execution, a Coast Guard HQ 10.exe file shows embedded pdf files containing the telephone directory of the Coast guard region (NW), as shown in the image below.

image 8 1
Figure3: Embedded pdf file

In the background, it drops an additional payload file called “rvlrarhsma.exe” in the following path- C:\ProgramData\Rellhars and executes it.

The payload file information is as follows:

image 9

Next, the Crimson RAT employs a Run registry persistence so that the malware gets loaded on every reboot, as demonstrated below.

image 10
Figure4: Crimson RAT persistence method

The Crimson RAT is able to perform various spyware functions with improved data exfiltration capabilities, some of which are mentioned below.

  • Managing remote file systems
  • Uploading or downloading files
  • Capturing screenshots
  • Performing audio surveillance using microphones
  • Recording video streams from webcam devices
  • Stealing files from removable media
  • Executing arbitrary commands
  • Recording keystrokes
  • Stealing passwords saved in browsers
  • Spreading across systems by infecting removable media
  • Using server-side components to manage infected client machines

A screen capture module of the Crimson RAT is as shown in the image below.

image 11
Figure5: Screen capture module of Crimson RAT

The data theft procedure lists all files stored in the device to find interested files and sends it to the C2 server. The list of directories scanned to get interested files are highlighted below.

image 12
Figure6: List directories scanned

We have also observed hardcoded network ports and a list of numbers that are used to derive dynamic IP’s of C2 server in Crimson RAT, as depicted below.  

image 13
Figure7: list of ports and IP’s

As seen in the previous attacks, a USBworm component is also present. The USBworm has the ability to steal files from removable drives, besides spreading across systems by infecting removable media. The diagram below shows the module used to save USBworm component from C2 server.

image 14
Figure8: USBworm module delivery

Conclusion:

Transparent Tribes APT groups continues to target multiple regions, typically including the Indian military and government personnel. The infamous hacker group is also known to be engaged in continuous efforts to keep its malware tools and techniques evolved and upgraded to suit the nature of any cyber attack.

Cyble Research team is continuously monitoring to harvest indicator/TTP’s of Emerging APT’s in the wild to ensure that the targeted organizations are well informed and protected proactively.

List of IOC’s: 

Source URL: hxxps[:]//email.gov.in.attachment.drive.servicesmail.site/files/Coast%20Guard%20HQ%2010.rar

File Hash:(MD5) 

ba1b8f8880d2cfd9795f9cdbac72de11– Coast Guard HQ 10.rar

b160e50bc44d8cfebdcfa0ed412cdb28– rvlrarhsma.exe

C2 Domain’s/IP’s:  85.136.161.124:8761 – Crimson C2

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.     

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams