Transparent Tribe is involved in campaigns against government and military personnel, revealing a new tool designed to infect USB devices and spread to other systems.
The advanced persistent threat (APT) group, as previously tracked by Proofpoint (.PDF), has been in operation since at least 2013 and has previously been connected to attacks against the Indian government and military.
Recently, the APT has shifted its focus to Afghanistan, however, researchers have documented its presence in close to 30 countries.
Also known as PROJECTM and MYTHIC LEOPARD, Transparent Tribe is described as a "prolific" group involved in "massive espionage campaigns."
Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target, Kaspersky said in a blog post on Thursday.
The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent together with malicious Microsoft Office documents containing an embedded macro that deploys the group's main payload, the Crimson Remote Access Trojan (RAT).
If a victim falls for the scheme and enables macros, the custom .NET Trojan launches and performs a variety of functions, including connecting to a command-and-control (C2) server for data exfiltration and remote malware updates, stealing files, capturing screenshots, and compromising microphones and webcams for audio and video surveillance.
Kaspersky says the Trojan is also able to steal files from removable media, key log, and harvest credentials stored in browsers.
The Trojan comes in two versions that have been compiled across 2017, 2018, and at the end of 2019, suggesting the malware is still in active development.
Transparent Tribe also makes use of other .NET malware and a Python-based Trojan called Peppy, but a new USB attack tool is of particular interest.
USBWorm is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines.
If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to "hidden" and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories.
"This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name," the researchers note.
Over 200 samples of Transparent Tribe Crimson components were detected between June 2019 and June 2020.
"During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal," commented Kaspersky researcher Giampaolo Dedola. "We don't expect any slowdown from this group in the near future."
Earlier this month, Kaspersky documented ongoing campaigns launched by CactusPete. Also known as Karma Panda, the APT has been tracked across a number of countries while performing cyberespionage and data theft. It is suspected the group may be linked to the Chinese military.
Previous and related coverage
- Promethium APT attacks surge, new Trojanized installers uncovered
- Kaspersky finds new APT targeting the Middle East's industrial sector
- CactusPete hackers go on European rampage with Bisonal backdoor upgrade
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0