APT PROFILE : Transparent Tribe aka APT36

APT PROFILE : Transparent Tribe aka APT36
APT36, a Pakistan-based APT group, has intensified cyber espionage operations targeting Indian government, military, educational institutions, and critical infrastructure using sophisticated phishing campaigns and malware. The group employs evolving toolsets and leverages real-world events and legitimate services for credential theft and persistent access. #APT36 #IndianGovernment #CriticalInfrastructure

Keypoints

  • APT36, active since at least 2013 and linked to Pakistani state interests, primarily targets Indian government, military, defense contractors, and educational sectors.
  • Recent campaigns exploit real-world events, such as the Pahalgam terror attack, to distribute phishing PDFs and macro-enabled documents delivering Crimson RAT for remote access and data theft.
  • The group uses advanced malvertising via Google Ads to promote fake Kavach MFA portals, stealing government credentials and deploying malware like Crimson RAT and Limepad.
  • APT36 has expanded its targeting beyond government and military to include educational institutions and students in India using malicious Office documents.
  • They employ cross-platform espionage tools developed in Python, Golang, and Rust, allowing attacks on both Windows and Linux systems.
  • Command-and-control communication increasingly abuses legitimate cloud services like Google Drive and messaging platforms such as Telegram, Discord, and Slack for stealth and persistence.
  • The group’s malware arsenal includes a wide range of RATs such as Crimson RAT, Limepad, DarkComet, and Poseidon, supporting extensive data exfiltration and remote control functions.

MITRE Techniques

  • [T1608.004] Resource Development – Use of infrastructure and domains to impersonate Indian government and defense organizations for phishing campaigns. (‘use of fake domains impersonating Jammu & Kashmir Police and Indian Air Force’)
  • [T1203] Exploitation for Client Execution – Deployment of macro-enabled Office documents and PDFs to execute malware payloads. (‘macro-laced documents to stage Crimson RAT infections’)
  • [T1584.001] Compromise Infrastructure – Setting up fake domains and malicious websites mimicking official Indian portals. (‘registering domains closely resembling official Indian government sites’)
  • [T1204.001] User Execution: Malicious File – Use of malicious PDF and Office documents as phishing lures. (‘phishing PDFs and macro-laced documents’)
  • [T1204.002] User Execution: Malicious Link – Use of malvertising campaigns promoting trojanized software via Google Ads. (‘abused Google Ads to promote malicious domains mimicking India’s Kavach MFA portal’)
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Execution of VBA macros in Office documents to activate malware. (‘macro-enabled documents and OLE-embedded files to stage malware’)
  • [T1189] Drive-by Compromise – Using malicious websites that deliver malware when visited. (‘fake websites and domains impersonating Indian government services’)
  • [T1566.001] Phishing: Spearphishing Attachment – Delivering malicious email attachments targeting government and educational personnel. (‘spear phishing emails with malicious attachments’)
  • [T1566.002] Phishing: Spearphishing Link – Sending phishing links through emails and ads to lure targets into malicious sites. (‘malvertising campaigns using Google Ads’)
  • [T1027] Obfuscated Files or Information – Use of packed binaries and PyInstaller to evade detection. (‘binaries packed in VHDX archives for stealth’)
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Domains and sites impersonate legitimate Indian services. (‘domains closely resembling official Indian government sites’)
  • [T1564.001] Hide Artifacts: Indicator Removal on Host – Scheduled tasks and startup folder changes to maintain persistence. (‘scheduled tasks, startup folder modifications’)
  • [T1568] Dynamic Resolution – Use of popular cloud and messaging platforms for command and control, complicating detection. (‘abuse of Google Drive, Telegram, Discord, and Slack for covert communications’)

Indicators of Compromise

  • [Domains] Fake official Indian services for phishing and malvertising – domains impersonating Jammu & Kashmir Police and Indian Air Force, Kavach MFA portal domains.
  • [File Names] Malicious payloads – Crimson RAT binaries, Limepad exfiltration tool, macro-enabled Office documents, and PDFs used in phishing campaigns.
  • [Malware] RAT samples and toolkits – Crimson RAT, Limepad, Dark Comet RAT, Beendoor RAT, Poseidon (Linux malware), and others.


Read more: https://www.cyfirma.com/research/apt-profile-transparent-tribe-aka-apt36/

Views: 36