Threat Research

Transparent Tribe campaign uses new bespoke malware to target Indian government officials

Securonix

Cisco Talos reports a new Transparent Tribe campaign targeting Indian government and military entities, deploying CrimsonRAT alongside bespoke stagers and implants. The operation uses fake domains mimicking legitimate government sites and multiple delivery methods to diversify infection chains and enable agile, rapid deployment. #CrimsonRAT #AP36 #TransparentTribe #Kavach #DSOI #MythicLeopard

Keypoints

  • New Transparent Tribe (APT36) campaign targets Indian government and military entities, deploying CrimsonRAT with novel stagers and implants.
  • Campaign active since at least June 2021 and uses fake domains mimicking legitimate government organizations to deliver payloads.
  • Group is diversifying entry mechanisms and incorporating bespoke malware to broaden targets and enhance operational agility.
  • Adversary deploys small, bespoke stagers/downloaders designed for rapid modification and quick deployment of implants.
  • Three implants observed: CrimsonRAT, a Python-based stager leading to .NET tools, and a lightweight .NET implant; mobile implants like CapraRAT also used.
  • Delivery vectors include installers masquerading as Kavach, maldocs, archives, and decoys; campaign shows evolution with IMG, VHDX, and RAR-based techniques and domain cloning.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The campaign uses malicious documents (maldocs) as an initial infection vector to deliver the malicious downloaders. “malicious documents (maldocs) as an initial infection vector to deliver the malicious downloaders.”
  • [T1036] Masquerading – Fake domains mimicking legitimate government and quasi-government organizations to deliver malicious payloads; executables masquerading as installers of legitimate applications. “executables masquerading as installers of legitimate applications”
  • [T1105] Ingress Tool Transfer – Downloaders reach out to attacker-controlled sites to download a malicious payload. “downloaders will then reach out to a malicious website, masquerading as a legitimate Indian government or pseudo-government entity, to download a malicious payload that is then activated on the endpoint.”
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – Persistence via an InternetShortcut in the current user’s Startup directory. “persists via an InternetShortcut in the current user’s Startup directory.”
  • [T1056.001] Keylogging – Presence of keylogger and USB modules within CrimsonRAT capabilities. “keylogger and USB modules.”
  • [T1113] Screen Capture – Capabilities include taking screenshots and sending them to the C2. “Take screenshots of the current screen and send it to C2.”
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of data to C2. “exfiltrate to the C2.”
  • [T1059] Command and Scripting Interpreter – Ability to run arbitrary commands on the system. “Run arbitrary commands on the system.”
  • [T1107] File Deletion – Delete files on the endpoint as commanded by C2. “Delete files specified by the C2 from the endpoint.”
  • [T1083] Directory Discovery – List files and folders in a path provided by the C2. “List files and folders in a directory path specified by the C2.”
  • [T1057] Process Discovery – List running processes on the endpoint. “List all running processes on the endpoint.”
  • [T1082] System Information Discovery – Collects computer name, user, OS, and other system details. “Get information such as name, creation times and size of image files…”
  • [T1005] Data from Local System – Read contents of a file on disk and exfiltrate to C2. “Read contents of a file on disk and exfiltrate to C2.”

Indicators of Compromise

  • [IP] 144.91.79.40, 194.163.129.89, 200.202.100.110, 206.215.155.105, 45.147.228.195, 5.189.170.84 – observed infrastructure/communication related to campaign.
  • [Domain] zoneflare[.]com, secure256[.]net, directfileshare[.]net, dsoi[.]info, kavach-app[.]in, download[.]kavach-app[.]in – domains used to host payloads and decoys.
  • [URL] hxxp://directfileshare[.]net/DA-Updated.xls, hxxp://directfileshare[.]net/dd/m.exe, hxxp://download[.]kavach-app[.]in/Kavach.msi, hxxp://dsoi[.]info/downloads/chrmeziIIa.exe, hxxp://zoneflare[.]com/C2L!Dem0&PeN/A@llPack3Ts/Cert.php – example download and downloader URLs.
  • [Hash] 15b90d869b4bcc3cc4b886abbf61134e408088fdfbf48e9ab5598a4c80f6f4d8, d2113b820db894f08c47aa905b6f643b1e6f38cce7adf7bf7b14d8308c3eaf6e – sample maldoc/download-related hashes.
  • [Hash] 08603759173157c2e563973890da60ab5dd758a02480477e5286fccef72ef1a2 – sample LNK-based artifact.

Read more: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html