(Proofpoint) Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions. Our analysis shows that many of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, but the exact nature and attribution associated with this APT remain under investigation. At this time, the background and analysis in this paper provide useful forensics and detail our current thinking on the malware that we have dubbed “MSIL/Crimson”. Transparent Tribe may be related to {{Gorgon Group}} and {{SideCopy}}. Transparant Tribe has been observed to use the Andromeda botnet (operated by {{Andromeda Spider}}).
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Actor: Transparent Tribe, APT 36
Names: Transparent Tribe, APT 36, ProjectM, Mythic Leopard, TEMP.Lapis, Copper Fieldstone, Earth Karkaddan, STEPPY-KAVACH
Country: Pakistan
Motivation: Information theft and espionage
First-seen: 2013
Description: (Proofpoint) Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions. Our analysis shows that many of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, but the exact nature and attribution associated with this APT remain under investigation. At this time, the background and analysis in this paper provide useful forensics and detail our current thinking on the malware that we have dubbed “MSIL/Crimson”. Transparent Tribe may be related to {{Gorgon Group}} and {{SideCopy}}. Transparant Tribe has been observed to use the Andromeda botnet (operated by {{Andromeda Spider}}).
Observed-sectors: Defense
Observed-sectors: Education
Observed-sectors: Embassies
Observed-sectors: Government
Observed-countries: Afghanistan
Observed-countries: Australia
Observed-countries: Austria
Observed-countries: Azerbaijan
Observed-countries: Belgium
Observed-countries: Botswana
Observed-countries: Bulgaria
Observed-countries: Canada
Observed-countries: China
Observed-countries: Czech
Observed-countries: Germany
Observed-countries: India
Observed-countries: Iran
Observed-countries: Japan
Observed-countries: Kazakhstan
Observed-countries: Kenya
Observed-countries: Malaysia
Observed-countries: Mongolia
Observed-countries: Nepal
Observed-countries: Netherlands
Observed-countries: Oman
Observed-countries: Pakistan
Observed-countries: Romania
Observed-countries: Saudi Arabia
Observed-countries: Spain
Observed-countries: Sweden
Observed-countries: Thailand
Observed-countries: Turkey
Observed-countries: UAE
Observed-countries: UK
Observed-countries: USA
Tools: Amphibeon
Tools: Android RAT
Tools: beendoor
Tools: Bezigate
Tools: Bozok
Tools: BreachRAT
Tools: CapraRAT
Tools: Crimson RAT
Tools: DarkComet
Tools: Limepad
Tools: Luminosity RAT
Tools: Mobzsar
Tools: MumbaiDown
Tools: njRAT
Tools: ObliqueRAT
Tools: Peppy RAT
Tools: QuasarRAT
Tools: SilentCMD
Tools: Stealth Mango
Tools: UPDATESEE
Tools: USBWorm
Tools: Waizsar RAT
Operations: 2012
Operations: Operation “Transparent Tribe” On February 11, 2016, we discovered two attacks minutes apart directed towards officials at Indian embassies in both Saudi Arabia and Kazakhstan. Both e-mails (Fig. 1, 2) were sent from the same originating IP address (5.189.145[.]248) belonging to Contabo GmbH, a hosting provider that seems to be currently favored by these threat actors. The e-mails also likely utilized Rackspace’s MailGun service and both of them were carrying the same exact attachment. https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
Operations: 2016-03
Operations: Indian TV station CNN-IBN has discovered that Pakistani officials were collecting data about Indian troop movements using an Android app called SmeshApp. https://news.softpedia.com/news/smeshapp-removed-from-play-store-because-pakistan-used-it-to-spy-on-indian-army-501936.shtml
Operations: 2016-03
Operations: Operation “C-Major” Trend Micro is reporting on a third campaign, which they’ve named Operation C-Major. According to the security firm, this campaign targeted Indian military officials via spear-phishing emails, distributing spyware to its victims via an Adobe Reader vulnerability. https://news.softpedia.com/news/another-case-of-a-pakistani-apt-spying-on-indian-military-personnel-502093.shtml https://blog.trendmicro.com/trendlabs-security-intelligence/operation-c-major-actors-also-used-android-blackberry-mobile-spyware-targets/
Operations: 2017-02
Operations: This blog post describes another attack campaign where attackers impersonated identity of Indian think tank IDSA (Institute for Defence Studies and Analyses) and sent out spear-phishing emails to target officials of the Central Bureau of Investigation (CBI) and possibly the officials of Indian Army. https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/
Operations: 2019-06
Operations: Over the past year, we have seen this group undergo an evolution, stepping up its activities, starting massive infection campaigns, developing new tools and strengthening their focus on Afghanistan. https://securelist.com/transparent-tribe-part-1/98127/ https://securelist.com/transparent-tribe-part-2/98233/
Operations: 2020-01
Operations: Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html
Operations: 2020-01
Operations: Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. https://blog.yoroi.company/research/transparent-tribe-four-years-later/
Operations: 2020 Early
Operations: TransparentTribe started using a new module named USBWorm at the beginning of 2020, as well as improving its custom .NET tool named CrimsonRAT. https://securelist.com/apt-trends-report-q1-2020/96826/
Operations: 2020-03
Operations: APT36 spreads fake coronavirus health advisory https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/
Operations: 2020-04
Operations: Operation “Honey Trap” APT36 Targets Defense Organizations in India https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/
Operations: 2021-02
Operations: ObliqueRAT returns with new campaign using hijacked websites https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html
Operations: 2021-06
Operations: Transparent Tribe campaign uses new bespoke malware to target Indian government officials https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
Operations: 2021-12
Operations: Transparent Tribe begins targeting education sector in latest campaign https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html
Operations: 2022
Operations: APT-36 Uses New TTPs and New Tools to Target Indian Governmental Organizations https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations
Operations: 2022-07
Operations: Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/
Operations: 2022-07
Operations: Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/
Operations: 2022-11
Operations: New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix https://www.securonix.com/blog/new-steppykavach-attack-campaign/
Operations: 2023-04
Operations: Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware
Information: https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
Information: https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/
Information: https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/
Information: https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html
Information: https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html
Mitre-attack: https://attack.mitre.org/groups/G0134/
Last-card-change: 2023-04-26
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1583.001 ACQUIRE INFRASTRUCTURE : DOMAINS transparent tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns. T1584.001 COMPROMISE INFRASTRUCTURE : DOMAINS transparent tribe has compromised domains for use in targeted malicious campaigns. T1608.004 STAGE CAPABILITIES : DRIVE-BY TARGET transparent tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with crimson, njrat, and other malicious tools. | T1189 DRIVE-BY COMPROMISE transparent tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with crimson, njrat, and other malicious tools. T1566.001 PHISHING : SPEARPHISHING ATTACHMENT transparent tribe has sent spearphishing e-mails with attachments to deliver malicious payloads. T1566.002 PHISHING : SPEARPHISHING LINK transparent tribe has embedded links to malicious downloads in e-mails. | T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC transparent tribe has crafted vbs-based malicious documents. T1203 EXPLOITATION FOR CLIENT EXECUTION transparent tribe has crafted malicious files to exploit cve-2012-0158 and cve-2010-3333 for execution. T1204.001 USER EXECUTION : MALICIOUS LINK transparent tribe has directed users to open urls hosting malicious content. T1204.002 USER EXECUTION : MALICIOUS FILE transparent tribe has used weaponized documents in e-mail to compromise targeted systems. | T1564.001 HIDE ARTIFACTS : HIDDEN FILES AND DIRECTORIES transparent tribe can hide legitimate directories and replace them with malicious copies of the same name. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION transparent tribe can mimic legitimate windows directories by using the same icons and names. T1027 OBFUSCATED FILES OR INFORMATION transparent tribe has dropped encoded executables on compromised hosts. |