Transparent Tribe APT returns to strike India's government and military

The development of custom malware indicates the group is trying to "compromise even more victims."
Written by Charlie Osborne, Contributing Writer

The Transparent Tribe hacking group is back with a new malware arsenal and victim list including India's government and military. 

Active since at least 2013, the advanced persistent threat (APT) group operates in at least 30 countries. However, the APT tends to focus on India and Afghanistan – with the exception being attacks recorded against human rights activists in Pakistan. 

Transparent Tribe, suspected of being of Pakistani origin, is also tracked by cybersecurity researchers using the labels PROJECTM, APT36, and Mythic Leopard. 

In 2020, Kaspersky found that the APT was the architect of ongoing cyberattacks against government and military personnel. Malware including Trojans, backdoors, and a propagation tool called USBWorm that quietly copied malicious code to removable drives were used at the time. 

Cisco Talos has provided an update on Transparent Tribe activities. On Tuesday, cybersecurity researchers Asheer Malhotra, Justin Thattil, and Kendall McKay said in a blog post that a campaign, ongoing since at least June 2021, has chosen the Indian government and military bodies as targets.

Transparent Tribe uses phishing to deliver maldocs and malicious web domains to push its malware, which is primarily Windows-based. The fake websites used to deliver payloads mimic government and defense organizations and will serve visitors downloader executables, packaged up to appear to be friendly software, .PDFs, or image files. 

While past themes have included topics such as COVID-19, the APT moves with the times and adapts to different trends. The latest samples, deployed in 2022, include a fake version of Kavach, a multi-factor authentication (MFA) application. 

Talos says that the legitimate Kavach app is "widely used" by India's military for accessing government resources. If a target executes the fake .NET executable, upon installation, a legitimate version of the app is installed -- alongside a malware dropper. 

The second version of this infection vector might raise suspicion, though, as the full MSI installer for Kavach is pulled -- as a 141MB package. 

Malicious payloads, including the Remote Access Trojan (RAT) CrimsonRAT are downloaded and executed. 

Since 2020, the .NET RAT is considered the APT's "malware of choice" and is capable of extensive data theft and surveillance. However, Talos notes that Transparent Tribe continues to "incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims."

Among the group's current toolset are the long-standing ObliqueRAT malware, a new Python-based stager for deploying NET-based spyware and other Trojans, and a new .NET implant for executing arbitrary code. 

The new additions are "quickly deployable" malicious tools and RATs, Talos says. When the smaller payloads are used, the threat actors appear to accept their more limited capabilities as a trade-off compared to CrimsonRAT and ObliqueRAT.

In addition, Transparent Tribe has not ignored mobile technologies in its quest for fresh victims. One tool, CapraRAT, is in constant development and has one goal: the theft of data from handsets. 

"This campaign furthers this targeting and their central goal of establishing long-term access for espionage," the researchers say. "The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards