NSFOCUS Security Research Labs identified a spear-phishing campaign by TransparentTribe targeting Indian government departments, delivering CrimsonRAT via a malicious document coerced to appear as an official government award file. The attack uses a bait document named “Recommendation for the award of President’s.docm” to deploy CrimsonRAT, enabling extensive system compromise and remote control, with timing linked to India’s presidential election and a shift toward payloads embedded directly in documents.
#TransparentTribe #CrimsonRAT #PresidentsAwardDocm #IndianGovernmentDepartments
#TransparentTribe #CrimsonRAT #PresidentsAwardDocm #IndianGovernmentDepartments
Keypoints
- TransparentTribe conducted spear-phishing attacks targeting Indian government departments using a docm bait to deliver CrimsonRAT.
- The group has a history of targeting government entities in India, Kazakhstan, and Afghanistan since 2012.
- The campaign timing aligns with the Indian presidential election period, indicating strategic planning.
- Recent activity embeds the malicious payload inside the bait document rather than relying on remote downloaders.
- CrimsonRAT provides extensive capabilities including information collection, remote control, and file operations.
- CrimsonRAT shows version obfuscation techniques (e.g., “A._E.0._6”) to evade detection and obfuscates strings to hinder analysis.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing attachment using a malicious document to deliver the CrimsonRAT Trojan. “The phishing document used was named “Recommendation for the award of President’s.docm” to deliver the CrimsonRAT Trojan.”
- [T1059.005] Visual Basic – The attack uses a malicious VBA script embedded in the document to extract and execute the payload. “the malicious VBA script to extract and execute the malicious program within the file.”
- [T1027] Obfuscated/Compressed Files and Information – The group obfuscates version numbers and uses string obfuscation to evade detection. “version number obfuscation … ‘A._E.0._6’.”
- [T1082] System Information Discovery – CrimsonRAT collects system information and related host data. “CrimsonRAT is capable of collecting system information, downloading and running files, and stealing sensitive information.”
- [T1113] Screen Capture – CrimsonRAT capability includes capturing screenshots as part of its data collection.
- [T1071] Application Layer Protocol – The malware communicates with designated C2 servers (e.g., mus09.duckdns.org and IPs) for commands and control. “C2: mus09.duckdns.org” and associated IPs/ports.
Indicators of Compromise
- [File Name] Recommendation for the award of President’s.docm, Monthly Report MAP.xlam – bait and historical documents used in the phishing operation
- [File Hash] c2b37effe3195665ec5597afa329f, 41d801d96c9e27c5ca6c4678ffa2d7e2 – corresponding file payloads
- [Domain] mus09.duckdns.org – C2 domain used by the attackers
- [IP] 64.188.21.202:6826, 164.68.122.64:11128 – C2 endpoints
- [IP] 64.188.21.202:18828, 64.188.21.202:22821 – additional C2 endpoints
- [IP] 164.68.122.64:18187, 164.68.122.64:19986
Read more: https://nsfocusglobal.com/transparenttribes-spear-phishing-targeting-indian-government-departments