Thursday, May 13, 2021

Transparent Tribe APT expands its Windows malware arsenal

By Asheer Malhotra, Justin Thattil and Kendall McKay.

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos' previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT.

While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.

Our recent research into Transparent Tribe uncovered two types of domains the group uses in their various campaigns: fake domains masquerading as legitimate Indian defense and government-related websites, and malicious domains posing as content-hosting sites. These domains work in conjunction with each other to deliver maldocs distributing CrimsonRAT and ObliqueRAT.

Based on our findings, Transparent Tribe's tactics, techniques, and procedures (TTPs) have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit. The variety of maldoc lures Transparent Tribe employs indicates the group still relies on social engineering as a core component of its operations.


Hosting infrastructure


Transparent Tribe uses a two-pronged approach for registering malicious domains: Fake domains masquerading as legitimate sites belonging to government, defense, or research entities, and malicious domains that resemble file-sharing websites.

Fake domains

Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. During our most recent investigation, we discovered a fake domain, clawsindia[.]com, registered by the attackers. This domain masquerades as the website for the Center For Land Warfare Studies (CLAWS), an India-based think tank covering national security and military issues. (The legitimate domain for CLAWS is claws[.]in.) The malicious clawsindia[.]com domain was previously hosted on 164[.]68[.]101[.]194, a known command and control (C2) for CrimsonRAT, Transparent Tribe's custom .NET remote access trojan (RAT). At this point, we cannot confirm how the attackers are using or intend to use this domain as part of their broader operations. However, we also identified a subdomain, mail[.]clawsindia[.]com, hosted on the same IP, suggesting that the attackers are using it as part of a malspam campaign.

Below is one of the attackers' maldocs they used to target individuals applying for the CLAWS "Chair of Excellence," an honorary title for those making exceptional research contributions to strategic studies, according to the think tank's official documentation. The victim is encouraged to click on an embedded URL hosted on sharingmymedia[.]com, which then downloads ObliqueRAT, the trojan discovered by Talos in 2020 associated with threat activity targeting entities in South Asia.



We cannot confirm how the maldocs were delivered to victims, but we suspect they were probably sent as attachments to phishing emails based on previous threat actor behavior and the targeted nature of this particular lure. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.

Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS.

Although we could not confirm the initial infection vector of ObliqueRAT maldocs, earlier campaigns had the same infection chain as those seen in previous CrimsonRAT operations. In such cases, adversaries would deliver phishing maldocs to targets containing a malicious VBA macro that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc. The macro dropped the implant to the disk, setting up persistence mechanisms and eventually executing the payload on the infected endpoint.

The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. In one such case in early 2021, the adversaries used iiaonline[.]in, the Indian Industries Association's legitimate website, to host ObliqueRAT artifacts. The attackers then moved to hosting fake websites resembling those of legitimate organizations in the Indian subcontinent. Figure 2 shows the attackers' use of HTTrack, a free website copier program, to duplicate a legitimate website to use for their own malicious purposes. The attackers then used this fake website, which they hosted on a domain that was nearly identical to its legitimate counterpart, to distribute ObliqueRAT. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.

Figure 2: Fake website cloned using HTTrack on May 29, 2020.


Another fake domain the group uses to serve CrimsonRAT is 7thcpcupdates[.]info. This domain masquerades as an information portal for The 7th Central Pay Commission (CPC) of India, which provides payment information and updates for government employees. The malicious domain prompts the victim to enter their name and email address to sign up and download a seemingly important "guide on pay and allowance."

Figure 3: 7thcpcupdates[.]info landing page.


Once the victim enters their information, the portal prompts them to download the guide. Upon clicking "Download Now," a malicious XLS file is downloaded onto the victim's computer. After enabling macros, the file executes CrimsonRAT on the endpoint.

Figure 4: The "Download Now" button contains a link to a malicious XLS with CrimsonRAT embedded in it.

Malicious file-sharing domains

Transparent Tribe also regularly registers domains that appear to be legitimate file- and media-sharing services. For example, the group has used drivestransfer[.]com, file-attachment[.]com, mediaclouds[.]live, and emailhost[.]network during their operations. In the CLAWS example above, the adversaries used another such malicious domain, sharingmymedia[.]com, to host ObliqueRAT. (Additional domains are listed in the IOCs section.) The infection chain involving these domains is similar to the one described above in which the threat actors use social engineering to convince the victim to download and open the malware hosted on these sites.


Figure 5: A sample XLS maldoc containing a malicious macro hosted on emailhost[.]network.


Lures and targeting


Transparent Tribe uses a variety of themes in their lures that evolved over time. The group has leveraged generic themes, such as resumes and CVs, since early 2019. From 2019 and continuing into 2020, the attackers started using honeytrap-themed lures to trick targets into opening ZIP archives and maldocs that posed as pictures of women. By mid-2020, the attackers reverted to primarily distributing military-themed maldocs. These maldocs did not contain popular news topics, as seen in older campaigns, but instead masqueraded as logistical and operational documents for the Indian Armed Forces.

But Transparent Tribe's attacks are not limited to only India. In one campaign, the attackers used an Iranian Ministry of Foreign Affairs (MOFA)-themed maldoc to distribute CrimsonRAT in mid-2019. Then, in mid- to late-2020, the attackers targeted diplomatic entities with RAR archives pretending to be related to the British High Commision in Islamabad, Pakistan. In mid-2020, we observed the first instance of conference attendees being targeted in the form of a CrimsonRAT maldoc masquerading as the agenda for an Afghani conference. However, since the start of this year, the group has increasingly used lures disguised as content from Indian government-sponsored conferences.

Defense-themed lures

Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. In one such case, we observed the group using the COVID-19 pandemic to target defense personnel.


Figure 6: Transparent Tribe's spear-phishing email targeting defense personnel.


The embedded XLS maldoc masquerades as a generic Health Advisory on COVID-19. This is in line with previous reporting on Transparent Tribe's use of official COVID-19 applications and content to serve Android malware.


Figure 7: Attached malicious XLS macro.



Another lure targeted Indian Defense Advisors attached to various Indian embassies in Southeast Asia, as seen in Figure 8.


Figure 8: Spear-phishing email targeting Defense Advisors.


This lure consisted of a list of countries pertaining to one of the College of Defense Management's (CDM) study tours.


Figure 9: Maldoc impersonating a list for CDM study tours.

Conference attendees

Transparent Tribe also finds attendees of specific conferences to target. Figure 10 shows a maldoc part of a 2020 operation used to distribute CrimsonRAT. The malicious XLS contained the agenda for "Building a Peaceful Afghanistan: Regional and International Support for afghan Peace" dialogue series conducted by the Heart of Asia Society (HAS).



Figure 10: Maldoc impersonating the agenda for HAS' dialogue series 2020.


Diplomatic themes

In one incident, we observed Transparent Tribe using an Iranian-themed lure to distribute CrimsonRAT. The maldoc is a note from Iran's Foreign Minister responding to the U.S. designation of Iran's Revolutionary Guard Corps (IRGC) as a Foreign Terrorist Organization (FTO). We could not determine who the intended targets were.


Figure 11: Maldoc pretending to be a note from the MOFA Iran.

In another instance, we observed a malicious ZIP archive targeting the British High Commission in Islamabad with CrimsonRAT.


Figure 12: Malicious archive with BHC-themed filenames containing CrimsonRAT.

HoneyTraps

Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. Specifically, we have observed the group using resume documents and archives, such as ZIPs and RARs, with alluring themes distributing CrimsonRAT.


Figure 13: One of the many honeytrap lure maldocs used by Transparent Tribe.

Transparent Tribe also delivers malicious archives containing CrimsonRAT executables using various themes, including honeytraps. In a few of these instances, the malicious executables in the archives contained honeytrap-themed icons to entice the victims into executing them.

Figure 14: CrimsonRAT executables from as early as 2019 containing explicit icons.


Conclusion


Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants. While CrimsonRAT remains the group's staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal. Email and maldoc lures employed to spread these implants consist of multiple themes, including conference agendas, honeytrap lures and diplomatic themes. However, two common generic themes used consistently in their operations are fake resumes and military related topics. This indicates the group continues to primarily target defense personnel in the Indian subcontinent. Transparent Tribe uses generically themed content-hosting domains as well as malicious domains masquerading as legitimate defense-related websites. Coupled with the use of compromised websites to host malicious artifacts, this is evidence that the group is evolving their TTPs to appear more legitimate.


Coverage


Ways our customers can detect and block this threat are listed below.


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try AMP for free here.

Cisco Secure Email can block malicious emails sent by threat actors as part of their campaign.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Security products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Cisco Secure Firewall Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

The following SIDs have been released to detect this threat: 57551-57562

Cisco Secure Endpoint (AMP) users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here and here.


IOCs


A complete list of IOCs is available here.

Malicious Domains


Domains with specific themes:


  • clawsindia[.]com
  • mail[.]clawsindia[.]com
  • larsentobro[.]com
  • millitarytocorp[.]com
  • 7thcpcupdates[.]info
  • india[.]gov[.]in[.]attachments[.]downloads[.]7thcpcupdates[.]info
  • email[.]gov[.]in[.]attachment[.]drive[.]servicesmail[.]site
  • tprlink[.]com
  • armypostalservice[.]com
  • isroddp[.]com
  • mail[.]isroddp[.]com
  • pmayindia[.]com
  • mailer[.]pmayindia[.]com
  • mailout[.]pmayindia[.]com
  • email[.]gov[.]in[.]maildrive[.]email


Generic Themed Domains:


  • urservices[.]net
  • drivestransfer[.]com
  • emailhost[.]network
  • mediaclouds[.]live
  • mediabox[.]live
  • mediafiles[.]live
  • mediaflix[.]net
  • mediadrive[.]cc
  • hostflix[.]live
  • shareflix[.]co
  • studioflix[.]net
  • social.medialinks[.]cc
  • share.medialinks[.]cc
  • servicesmail[.]site
  • filelinks[.]live
  • file-attachment[.]com
  • mediashare[.]cc
  • shareone[.]live
  • cloudsbox[.]net
  • filestudios[.]net
  • datacyncorize[.]com
  • templatesmanagersync[.]info
  • digiphotostudio[.]live
  • onedrives[.]cc
  • sharingmymedia[.]com
  • awsyscloud[.]com
  • shareboxs[.]net
  • maildrive.email
  • sharemydrives[.]com
  • newsupdates.myftp[.]org
  • bjorn111.duckdns[.]org
  • tgservermax.duckdns[.]org
  • systemsupdated.duckdns[.]org
  • vmd41059.contaboserver.net
  • vmi433658.contaboserver.net
  • tgservermax.duckdns[.]org
  • micrsoft[.]ddns.net


URLs


  • hxxp://drivestransfer[.]com/files/Officers-Posting-2021.doc
  • hxxp://drivestransfer[.]com/files/Special-Services-Allowance-Armd-Forces.xlam
  • hxxp://drivestransfer[.]com/myfiles/Dinner%20Invitation.doc/win10/Dinner%20Invitation.doc
  • hxxp://drivestransfer[.]com/files/Officers-Posting-2021.doc
  • hxxp://drivestransfer[.]com/files/Parade-2021.xlam
  • hxxp://drivestransfer[.]com/files/Age-Review-of-Armd-Forces.doc
  • hxxp://drivestransfer[.]com/files/My-Resume-Detail.doc
  • hxxps://emailhost[.]network/National-Conference-2021
  • hxxp://mediaclouds[.]live/files/cnics.zip
  • hxxp://mediaclouds[.]live/files/attachment.zip
  • hxxp://mediabox[.]live/anita-resume4
  • hxxp://mediabox[.]live/files/nisha-resume-2020.zip
  • hxxp://mediafiles[.]live/files/my%20fldr%20for%20u%20diensh.zip
  • hxxp://mediafiles[.]live/files/for%20u%20krishna%20my%20pic%20and%20video%20fldr.zip
  • hxxp://mediafiles[.]live/files/khushi%20pics%20all.zip
  • hxxps://mediafiles[.]live/aditii
  • hxxps://mediaflix[.]net/BHC-PR
  • hxxp://mediaflix[.]live/files/skype-lite.apk
  • hxxp://mediadrive[.]cc/?a=W1549544649I
  • hxxp://mediadrive[.]cc/?a=W1550558721I&fbclid=IwAR1PzHnHCOjDqfpqaBqxnY4o1xMX6ibdgXAComUmJuHFYHgtCBHFq5NlYug
  • hxxp://hostflix[.]live/files/my_new_pic.zip
  • hxxp://shareflix[.]co/files/lkgame.apk
  • hxxp://shareflix[.]co/larmina-circulum-vetae-complete-2020
  • hxxps://studioflix[.]net/my-social
  • hxxp://social.medialinks[.]cc/files/scan0001.rar
  • hxxp://social.medialinks[.]cc/Case-Detail
  • hxxp://social.medialinks[.]cc/my-100-pics
  • hxxp://social.medialinks[.]cc/files/hot_song.rar
  • hxxp://email.gov.in.attachment.drive.servicesmail[.]site/files/Co ast%20Guard%20HQ%2010.rar
  • hxxps://email.gov.in.attachment.drive.servicesmail[.]site/New-Projects-List
  • hxxp://filelinks[.]live/files/Note%20Verbal.doc
  • hxxp://filelinks[.]live/Details-and-Invitations
  • hxxp://file-attachment[.]com/files/fauji%20india%20september%202019.xls
  • hxxp://file-attachment[.]com/files/pfp-73rd%20independence%20day%20gallantry%20awards%20.xls
  • hxxp://mediashare[.]cc/?a=W1551315913I
  • hxxps://shareone[.]live/New-sonam-cv1
  • hxxp://cloudsbox[.]net/files/new%20cv.zip
  • hxxp://cloudsbox[.]net/files/new%20preet%20cv.zip
  • hxxp://cloudsbox[.]net/files/preet.doc
  • hxxp://cloudsbox[.]net/files/sonam%20karwati.zip
  • hxxp://cloudsbox[.]net/files/nisha%20arora%20sharma.zip
  • hxxp://cloudsbox[.]net/files/cv%20ssss.zip
  • hxxp://cloudsbox[.]net/files/sonamkarwati.exe
  • hxxps://cloudsbox[.]net/files/sonam
  • hxxps://cloudsbox[.]net/My-Pic
  • hxxp://cloudsbox[.]net/files/sonam%20karwati.exe
  • hxxp://cloudsbox[.]net/files/sonam
  • hxxps://cloudsbox[.]net/sonam-karwati5
  • hxxp://cloudsbox[.]net/sonam11
  • hxxps://cloudsbox[.]net/sonam11
  • hxxp://filestudios[.]net/files/Nisha%20Doc.doc
  • hxxp://filestudios[.]net/
  • hxxps://filestudios[.]net/Sunita-Singh1.html
  • hxxp://filestudios[.]net/files/sonam%20cv.zip
  • hxxp://templatesmanagersync[.]info/essa.dotm
  • hxxp://10feeds[.]com/temp.dotm
  • hxxp://datacyncorize[.]com/
  • hxxps://datacyncorize[.]com/
  • hxxps://datacyncorize[.]com/INDISEM-2021.ppt
  • hxxps://datacyncorize[.]com/INDISEM-2021(INDISEM-2021.ppt)
  • hxxps://datacyncorize[.]com/
  • hxxps://datacyncorize[.]com/INDISEM-2021
  • hxxps://datacyncorize[.]com/INDISEM-2021(INDISEM-2021.ppt
  • hxxps://datacyncorize[.]com/NDC-Updates
  • hxxp://sharingmymedia[.]com/recordsdata/Standards-of-Military-Officers.doc
  • hxxps://sharingmymedia[.]com/files/1More-details.doc
  • hxxp://sharingmymedia[.]com/files/Criteria-of-Army-Officers.doc
  • hxxp://sharingmymedia[.]com/files/7All-Selected-list.xls
  • hxxps://sharingmymedia[.]com/files/More-details.docm
  • hxxps://sharingmymedia[.]com/myfiles/Immediate%20Message.docm/Unknown%20OS%20Platform/Immediate%20Message.docm
  • hxxps://7thcpcupdates[.]info/downloads/7thPayMatrix.xls
  • hxxp://armypostalservice[.]com/myfiles/file.doc/win7/file.doc
  • hxxp://isroddp[.]com/rEmt1t_pE7o_pe0Ry/hipto.php
  • hxxp://newsupdates.myftp[.]org/lee/vbc.exe


IP Addresses


  • 23[.]254.119.11
  • 64[.]188.12.126
  • 64[.]188.25.232
  • 75[.]119.139.169
  • 95[.]168.176.141
  • 107[.]175.64.209
  • 107[.]175.64.251
  • 151[.]106.14.125
  • 151[.]106.19.218
  • 151[.]106.56.32
  • 162[.]218.122.126
  • 164[.]68.101.194
  • 167[.]114.138.12
  • 167[.]160.166.177
  • 173[.]212.192.229
  • 173[.]212.226.184
  • 173[.]212.228.121
  • 173[.]249.14.104
  • 173[.]249.50.57
  • 176[.]107.177.54
  • 178[.]132.3.230
  • 181[.]215.47.169
  • 185[.]117.73.222
  • 185[.]136.161.124
  • 185[.]136.163.197
  • 185[.]136.169.155
  • 185[.]174.102.105
  • 185[.]183.98.182
  • 192[.]99.241.4
  • 193[.]111.154.75
  • 198[.]46.177.73
  • 198[.]54.119.174
  • 206[.]81.26.164
  • 207[.]154.248.69
  • 209[.]127.16.126
  • 212[.]8.240.221
  • 216[.]176.190.98

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.