Transparent Tribe is an Advanced Persistence Threat (APT) group that has been active since 2013. Also known as PROJECTM and MYTHIC LEOPARD, the group is highly active and has been engaged in conducting various cyber espionage campaigns. The APT group is suspected to be politically motivated, as its victims include defense and diplomatic professionals. One of the tools used in its campaigns is a .NET RAT (Remote Access Trojan) also known as Crimson RAT. The group was seen to be operating with an updated version of Crimson RAT discovered recently, consisting of a malicious macro embedded in a word file that upon execution drops a payload to set up a communication channel with a Command-and-Control Server (C2/C&C Server).
Table 1 consists of details of Transparent Tribe.
|Aliases||PROJECTM and MYTHIC LEOPARD|
|Target||Afghanistan and India|
Table 1: Details of Transparent Tribe
The image below depicts the infection flow of Crimson RAT.
Figure 1: Infection Flow of Crimson RAT
Transparent Tribes’ campaigns begin with the delivery of a malicious document file on the targeted victim system, and upon opening the malcrafted document that has embedded macro, users receive a notification regarding a security concern and are instructed to give a consent for enabling the content.
Figure 2 depicts the word file embedded with malicious macro.
Figure 2: Malicious word file
As the infection flow starts off from the execution of the word macro, we were on the lookout for more information regarding the malicious macro. As per OLE Object analysis, the Autoexecution of the Document_open function leads to the payload delivery and its subsequent execution on the victim’s machine.
Figure 3 showcases the keywords extracted from the malicious word macro.
Figure 3: Keywords used in word macro.
In Figure 4, we can see that the name of the payload file is dubbed as “railthnsrqn” in the macro, along with the use of ALLUSERPROFILE variable, which indicates that the payload might get dropped in C:\ProgramData.
Figure 4: File creation
The macro checks for the OS (Operating System) version, and based on whether it is 32-bit or 64-bit, it accordingly selects the payload.
Figure 5: OS version detection
The payload gets executed after it’s dropped using shell command.
Figure 6: Execution of the payload (railthnsrqn.exe).
During our research, we also found a different execution technique used by the Crimson RAT to execute its payload. This technique does not use word macros, but a binary executable file that has an embedded word document (containing a CV file). Upon execution, it opens the embedded word document and silently executes its payload in the background.
Figure 7: Another execution method used by Crimson RAT
Figure 8: Embedded .doc file
Technical analysis Case 1:
Upon behavioral analysis, it was verified that the payload file named railthnsrqn.exe was dropped and executed after enabling the macro.
Figure 9: railthnsrqn.exe sub process.
Figure 8 depicts the process flow of railthnsrqn.exe.
Figure 10: Process flow of railthnsrqn.exe
Upon analyzing the network traffic, we found that multiple TCP requests were made to 22.214.171.124, which turns out to be the C&C server.
Figure 11: railthnsrqn.exe trying to establish a TCP connection.
We found the following hardcoded port numbers during the decompilation of railthnsrqn.exe.
Figure 12: Hardcoded Port Numbers
The image below showcases the code used by the payload to exfiltrating the data.
Figure 13: Data Exfiltration
Figure 14: Capturing Screenshot
In Figure 15, we can see the code that has been written to make changes into the registry for persistance and to autostart the malware payload.
Figure 15: Persistence Mechanism
Technical analysis Case 2:
The Figure 16 depicts the execution of payload file (othvidtiraw.exe) in the background.
Figure 16: Execution of payload(othvidtiraw.exe)
We can see in the figure below that the payload is trying to connect to Command and Control (C2) server and is also accessing the registry for persistence.
Figure 17: Process flow of othvidtiraw.exe
Table 2 consist of: MITRE ATT&CK mapping
|Execution||T1204||Manual Execution by User|
|Persistence||T1060||Changes the Autorun Value in the Registry.|
|Defense Evasion||T1140||Use of Obfuscated Macros.|
|Discovery||T1012||Query Registry Check Environment Variables|
|Collection||T1113 T1119||Capture Screenshot Automated Collection|
|Command and Control||T1095||Non-application Layer Protocol|
Table 2: MITRE ATT&CK mapping
The Transparent Tribe APT group has been actively exploiting its target using an updated tool set. In the past, we have seen them successfully carrying out their campaigns on defense and diplomatic personnel. The use of new attack techniques helps an attacker to evade security mechanisms, thereby establishing more persistence on the victim network. Individuals are advised to enhance security controls to overcome these new TTPs used by hackers. So far, we have not heard of Transparent Tribe exploiting general public, however, most of victims of the APT group seem to have some relation with Afghanistan or India.
Cyble will continue to track APT activities to collect advanced threat intelligence related to such campaigns.
- We recommend blocking the listed hashes, URLs, and other indicators on your security systems shared in the IoC list below.
- Never share personal information, including financial information over the phone, email, or SMSs.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- People concerned about their exposure to the Dark web can register at AmiBreached.com to ascertain their exposure.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Indicators of Compromise (IOCs):
Table 3 includes Indicators of Compromise (IOC).
Table 3: Indicators of Compromise
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Straups to Watch in 2020. Headquartered in Alpharetta, Georgia and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.