Cisco Talos reports a new campaign by the Transparent Tribe APT targeting Indian educational institutions, deploying CrimsonRAT to establish long-term access into victim networks. The operation also implicates a Pakistani hosting provider, Zain Hosting, as part of the infrastructure, signaling expanded third-party involvement. #TransparentTribe #CrimsonRAT
Keypoints
- The campaign targets students at universities and colleges in India, expanding beyond the group’s traditional focus on government entities.
- CrimsonRAT remains the group’s malware of choice for persistence and long-term access, with ongoing updates to capabilities.
- ObliqueRAT and lightweight downloaders are also part of Transparent Tribe’s toolkit alongside CrimsonRAT.
- Infrastructure involves a Pakistani web hosting provider, Zain Hosting, likely one of several third parties used to stage and deploy the operation.
- Domains and infrastructure show coordinated branding (e.g., student-themed domains) and shared hosting resources, including SSL overlaps and a common IP.
- The infection chain begins with spear-phishing maldocs containing VBA macros that drop CrimsonRAT from an embedded archive.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Maldocs delivered to target via spear-phishing email. “The attack consists of a maldoc delivered to the target as an attachment or a link to a remote location via a spear-phishing email.”
- [T1059.005] Visual Basic – Malicious VBA macros in the maldocs used to drop the payload. “The macros extract an embedded archive file from the maldoc and unzip it to execute a copy of the malware in the archive file.”
- [T1027] Obfuscated/Compressed Files and Information – Embedded archive is unziped to execute CrimsonRAT. “The macros extract an embedded archive file from the maldoc and unzip it to execute a copy of the malware in the archive file.”
- [T1113] Screen Capture – CrimsonRAT can take screenshots and exfiltrate to C2. “Take screenshots of the current screen and send them to the C2.”
- [T1056.001] Keylogging – CrimsonRAT can log keystrokes and manage USB modules. “Run specific processes on the endpoint, such as keylogger and USB modules.”
- [T1083] File and Directory Discovery – The malware lists files and folders on the endpoint. “List files and folders in a directory path specified by the command and control (C2).”
- [T1057] Process Discovery – The malware lists processes on the endpoint. “List process IDs and names running on the endpoint.”
- [T1082] System Information Discovery – Gather system information such as computer name, OS, and file paths. “Get information, such as name, creation times and size of image files…”
- [T1041] Exfiltration Over C2 Channel – Exfiltrates data to C2 (e.g., keylogger logs). “Upload keylogger logs from a file on disk to the C2.”
- [T1107] File Deletion – Deletes files on the endpoint as instructed by C2. “Delete files specified by the C2 from the endpoint.”
- [T1105] Ingress Tool Transfer – Downloads additional modules (e.g., USB worm, keylogger) from C2 and writes them to disk. “Download the USB worm and keylogger modules from the C2 and write them to disk.”
Indicators of Compromise
- [IP] Campaign infrastructure – 192.3.99.68, 198.37.123.126
- [Domain] Campaign domains – studentsportal.live, geo-news.tv, and 17 more items
- [URL] Malicious download links – hxxps://studentsportal.live/download.php?file=Mental_Health_Survey.docm, hxxps://studentsportal.website/download.php?file=5-mar.zip
- [Email] Admin/registrar emails – [email protected], [email protected]
- [FileHash] Malicious file hashes – bdeb9d019a02eb49c21f7c04169406ac586d630032a059f63c497951303b8d00, 388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622
- [Filename] Malicious documents – Mental_Health_Survey.docm, 5-mar.zip
Read more: https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html