Transparent Tribe APT group targets Indian government agencies

March 30, 2022
Transparent Tribe APT Threat Group India Government Agencies Malware RAT Trojan Pakistan

Since June of last year, a new attack campaign has been linked to Pakistan-based threat actors called Transparent Tribe, targeting victims using CrimsonRAT, a Windows-based remote access trojan. Researchers revealed that the Pakistani group is an active APT group that primarily targets government and military agencies from India and Afghanistan.

The threat group was also found expanding their malware toolset, aiming to compromise Android OS devices using the CapraRAT backdoor, which seems to have an edge compared with CrimsonRAT.

Based on recent attack observations, the Transparent Tribe group is found utilizing fake domains to impersonate government agencies and deliver infected backdoors, such as a stager written in Python to install reconnaissance [.]NET tools and RATs, and barebones [.]NET implant to run code on a victim’s system.

 

The Transparent Tribe group is also notorious for executing different backdoor delivery methods, including the masquerading of authentic application installers, archive files, and malware-infected documents to attack Indian organizations.

 

An Indian two-factor authentication solution called Kavach is one of the downloader executables impersonated by the APT group, which is required to log in to email services and deliver malicious payloads.

Other delivery methods utilized by the APT group are COVID-19-themed decoy images and virtual hard disk files, which are used as a launchpad to recover additional payloads, like CrimsonRAT, coming from a remote C2 server.

Besides the group’s usage of CrimsonRAT in most of their espionage campaigns, they are also seen leveraging ObliqueRAT for attacking government agencies and during attack operations that require stealth to be properly executed.

Since Transparent Tribe has implemented various malware portfolios in their attacks, experts are surprised to see them exploit authentic Indian government-based applications to lure their victims.

Security researchers explained that the APT group’s use of various attack and malware delivery methods shows how agile, aggressive, and persistent they are in evolving their tactics and techniques to spread the infection among their targets.

About the author

Leave a Reply