Pakistan-linked Transparent Tribe APT expands its arsenal

Alleged Pakistan-Linked cyber espionage group, tracked as Transparent Tribe, targets Indian entities with a new Windows malware.

Researchers from Cisco Talos warn that the Pakistan-linked APT group Transparent Tribe expanded its Windows malware arsenal. The group used the new malware dubbed ObliqueRAT in cyberespionage attacks against Indian targets.

The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic Leopard) was first spotted by Proofpoint Researchers in Feb 2016, in a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi-vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot, and record webcam streams.

Transparent Tribe has been active since at least 2013, it targeted entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan.

In the recent wave of attacks, threat actors employed domains mimicking legitimate Indian military and defense organizations, and other domains posing as content-hosting sites that were used to host malicious artifacts.

“Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT.” read the analysis published Cisco Talos. “While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.”

These domains were used to distribute weaponized docs used to deliver CrimsonRAT and ObliqueRAT. Experts observed the hackers using resume documents and archives, such as ZIPs and RARs, with alluring themes distributing CrimsonRAT.

Email and maldoc lures employed to deliver the malware used multiple themes, including conference agendas, honeytrap lures and diplomatic themes.

“The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc.” continues the report. “In one such case in early 2021, the adversaries used iiaonline[.]in, the Indian Industries Association’s legitimate website, to host ObliqueRAT artifacts.”

In other attacks, the group used fake domains for the 7th Central Pay Commission (7CPC) of India and an Indian think tank called Center For Land Warfare Studies (CLAWS),

“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” the researchers said. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”

Experts noticed that the Transparent Tribe’s TTPs remained largely unchanged since 2020, but the cyberspies continues to implement new lures as part of its arsenal.

Talos researchers also published the Indicators of Compromise (IoCs) for the new attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]