By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay.
- Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using new stagers and implants.
- This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic.
- Based on our analysis of Transparent Tribe operations over the last year, the group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims.
- Notably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be easily modified, likely to enable quick and agile operations.
Transparent Tribe deploys new implants
Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. In the latest campaign conducted by the threat actor, Cisco Talos observed multiple delivery methods, such as executables masquerading as installers of legitimate applications, archive files and maldocs to target Indian entities and individuals. These infection chains led to the deployment of three different types of implants, two of which we had not previously observed:
- CrimsonRAT: A remote access trojan (RAT) family that Transparent Tribe frequently uses to conduct espionage operations against their targets.
- A previously unknown Python-based stager that leads to the deployment of .NET-based reconnaissance tools and RATs.
- A lightweight .NET-based implant to run arbitrary code on the infected system.
This campaign also uses fake domains mimicking legitimate government and pseudo-government organizations to deliver malicious payloads, a typical Transparent Tribe tactic.
Threat actor profile
Transparent Tribe is a suspected Pakistan-linked threat actor. This group targets individuals and entities associated with governments and military personnel in the Indian subcontinent, specifically Afghanistan and India. Transparent Tribe has also been known to use their CrimsonRAT implant against human rights activists in Pakistan.
The group primarily uses three Windows-based malware families to carry out espionage activities against their targets.
- CrimsonRAT is a .NET-based implant that has been the group’s malware of choice since at least 2020 . Transparent Tribe’s multiple campaigns leveraging CrimsonRAT over the years indicate a steady evolution in the implant’s capabilities.
- ObliqueRAT is a C/C++-based implant discovered by Talos in early 2020. ObliqueRAT is primarily reserved for highly targeted attacks on government personnel and in operations where stealth is a prime focus of the attackers’ infection chain. This implant has also seen a constant evolution in deployment tactics and malicious functionalities over time.
- Custom malware used by Transparent Tribe consists of easily and quickly deployable downloaders, droppers and lightweight RATs containing limited capabilities as opposed to CrimsonRAT and ObliqueRAT.
Transparent Tribe also maintains a suite of mobile implants in their arsenal. Implants such as CapraRAT are constantly modified to be deployed against targets. These implants contain a plethora of malicious capabilities meant to steal data from mobile devices.
Talos observed the use of downloader executables containing different lures related to the Indian government. Themes included topics related to COVID-19, resumes and installers for government applications, such as the Kavach multi-factor authentication (MFA) application.
The latest downloaders primarily masquerade as installers for Kavach and are distributed for delivering malicious artifacts to targets. Kavach is widely used by government personnel, as it allows employees (including military personnel) to access the Indian government’s I.T. resources, such as email services.
The droppers are .NET-based executables. They begin execution by checking if the timezone on the infected endpoint contains keywords such as “India.” A splash screen is displayed to the victim notifying them that the Kavach application is being installed:
Fake installation splash screen
The downloaders will then reach out to a malicious website, masquerading as a legitimate Indian government or pseudo-government entity, to download a malicious payload that is then activated on the endpoint.
Next, download a legitimate copy of the Kavach application’s MSI installer from yet another attacker-controlled website and execute it to make the whole attack chain appear legitimate.
Downloader fetching and executing malicious payload and legitimate installer for Kavach.
Another variation of the initial infection vector used in the campaign is a notably large downloader binary (141MB) that contains the entire legitimate installer (MSI) for the Kavach application in its resources. The zipped copy of the MSI is extracted from the downloader’s resources and executed on the system as a decoy to appear legitimate to the targets. The actual implant is then downloaded from a remote location, AES-decrypted using a hardcoded key, written to disk and executed on the infected endpoint.
The second variant of the downloader downloads and decrypts the payload from a remote location.
A timeline of older variants
As early as June 2021, the attackers primarily used malicious documents (maldocs) as an initial infection vector to deliver the malicious downloaders. This vector consisted of a malicious macro that would download and activate the downloader on the infected endpoint. This practice continued into July 2021.
However, beginning with June 2021, there was also a steady evolution in the distribution tactics used in this campaign. Around this time, we began observing the use of non-traditional initial entry mechanisms throughout the course of this campaign, suggesting a clear intention of aggressively infecting targets for espionage.
For instance, in June 2021, the attackers used IMG files for distribution, containing multiple infection artifacts — all COVID-19 themed — to trick targets into getting infected. Wrapping malware in IMG files is a tactic gaining traction with crimeware operators and APTs as a way to deliver malware to victims since newer versions of the Windows OS natively support IMG files.
Malicious IMG distributed by Transparent Tribe.
The malicious image consists of four files:
- Malicious Python-based stager.
- Decoy PDF document containing a COVID-19-themed lure.
- VBS file for executing the stager and displaying the decoy.
- Malicious LNK file for activating the VBS on the endpoint.
In September 2021, the actors switched up their initial infection artifact and used VHDX files delivering the malicious droppers. VHDX files do not retain Mark Of the Web (MOTW) stamps and thus artifacts such as maldocs, delivered through these wrappers aren’t identified as originating from the internet by Microsoft utilities such as Word, Excel etc. - allowing the attackers to run malicious code on the endpoint without any Microsoft warnings.
The variant of the downloaders used here, previously disclosed by Cyble, masqueraded as an app from the Canteen Stores Department (CSD) of the Government of India. On execution, this variant would open the legitimate website for CSD on the target’s system. However, as seen previously with Transparent Tribe, the threat actors continued the development of similar infection chains consisting of various themes to distribute their malware without regard for any previous public disclosures.
The threat actor then introduced the use of RAR archives to distribute malicious malware in November 2021. The RAR archive consisted of the downloader, this time downloading a highly specific decoy PDF containing the work history of an Indian government official. The RAR archives are typically password-protected and hosted on public media sharing websites. Therefore, it is highly likely that Transparent Tribe used spearphishing emails to deliver download URLs for the archives to their targets via emails containing the passwords for the archives.
Timeline of the evolution of entry vectors:
CrimsonRAT is a popular malware RAT implant that consists of a wide variety of capabilities. It is the staple implant of choice for Transparent Tribe to establish long-term access into victim networks. This RAT is actively worked upon and has seen considerable updates over the years in not just the development of new capabilities, but also to obfuscate the implant by the APT group.
The latest version of CrimsonRAT seen in this campaign in January and February 2022 contains a number of capabilities, including:
- List files and folders in a directory path specified by the C2.
- Run specific processes on the endpoint — keylogger and USB modules.
- List process IDs and names running on the endpoint.
- Get information such as name, creation times and size of image files (pictures such as BMP, JPG etc.) specified by the C2.
- Take screenshots of the current screen and send it to C2.
- Upload keylogger logs from a file on disk to the C2.
- Send system information to C2 including:
- Computername, username, Operating System name, filepath of implant, parent folder path.
- Indicator of whether the keylogger module is in the endpoint and running and its version.
- Indicator of whether the USB module is in the endpoint and running and its version.
- Run arbitrary commands on the system.
- Write data sent by C2 to a file on disk.
- Read contents of a file on disk and exfiltrate to C2.
- List all drives on the system.
- List all files in a directory.
- Download the USB worm and keylogger modules from the C2 and write them to disk.
- Send a file’s name, creation time and size to the C2- file path is specified by the C2.
- Delete files specified by the C2 from the endpoint.
- Get names, creation times and size of all files containing the file extension specified by the C2.
Code Snippet: CrimsonRAT command handler.
- Jan-Feb 2022: Deployed by Kavach-themed downloaders.
A new lightweight, .NET-based implant was also seen in this campaign in several infection chains. This implant has limited capabilities when compared to CrimsonRAT but contains enough functionality to control and monitor the infected system. Capabilities include:
- List all running processes on the endpoint.
- Download and execute a file from the C2.
- Download and execute a file specified by the C2 from another remote location.
- Close connection with the C2 until the next run.
- Gather system information from the endpoint such as Computer Name, username, public and local IPs, Operating system name, list of runnings AVs, device type (desktop or laptop).
The implant also persists via an InternetShortcut in the current user’s Startup directory.
Implant downloading and executing a file from a remote location.
- Jan-Feb 2022: Deployed by Kavach-themed downloaders.
- November 2021: Seen in infection chains using RAR archives hosted on CMS.
- September 2021: Deployed by CSD-themed downloaders.
We’ve also observed the use of Python-based stagers throughout this campaign. These stagers are pyinstaller-based EXEs and consist of the following functionalities:
- Collect system information from the endpoint consisting of all running process names, computername and OS name and send it to a remote C2 URL.
- Drops one of two embedded files: A malicious DLL used to activate a recon tool in the current user’s Startup folder based on whether the endpoint is Windows 7 or not.
- Parse responses from the C2 to obtain data that is then written to a file to disk.
All the relevant information used in the functioning of the stager is kept in a separate Python file.
Stager configuration information.
- June 2021: Maldocs.
- June 2021: IMG files.
The embedded implants deployed by the python based stager will simply activate a malicious DLL existing on disk by loading and running it in the embedded implant’s process. The DLL loaded is the actual malicious reconnaissance tool used by the attackers.
The DLL implant will first send a beacon to the C2 server URL to indicate that it has been successfully deployed. The C2 server must reply with a specific keyword such as “onlyparanoidsurvive” for the implant to start accepting commands from another C2 URL. The implant will first send a list of all files in the current user’s Cookie directory to the C2. In response, the C2 may send the “senddevices” command to the implant. If this command is received, the implant will send the following data to a third C2 URL:
- OS Caption from CIM_OperatingSystem.
- All local IP addresses of the infected endpoint.
- Device type — desktop or laptop.
- Product version of the executable in which the DLL has been loaded.
Implant gathering system information for exfiltration to the C2.
The implant will then proceed to get executables from the remote C2 server that are then executed on the infected endpoint.
Helper DLL used to execute binaries on the endpoint.
Targeting and attribution
This campaign saw the use of multiple types of lures and decoys to target Indian government personnel. This is a targeting tactic typical of groups operating under the Pakistani nexus of APT groups, such as Transparent Tribe and SideCopy.
For example, in July 2021, we saw the attackers use themes related to the 7th Indian Central Pay Commission (7th CPC) for government employees in maldocs to deliver the Python-based stager that deployed malware on the infected endpoints. Transparent Tribe will frequently use the 7th CPC as a topic of interest to trick victims into opening maldocs and infecting themselves.
Maldoc with 7th CPC themes.
We also saw the use of COVID-themed lures and decoys containing advisories primarily targeting employees of the government of India. This is another tactic that the Transparent Tribe has utilized in past operations.
COVID-19-themed decoy used against government employees.
Over the past year, we have observed this threat actor heavily utilize women’s resumes to target individuals of interest. This is inline with their tactic of honey trapping targets by using such malicious resumes and executables that display alluring pictures. This campaign, however, used a similar yet distinct theme. Instead of resumes, we observed the use of a decoy document in November 2021 that detailed a male Indian Ministry of Defence (MoD) employee’s work experience.
Service history of an MoD official used as a lure/decoy.
Another TTP used by Transparent Tribe in their operations is the cloning of legitimate websites into fake ones owned and operated by the attackers. These fake websites are used along with typo-squatted or similarly spelled domains to appear legitimate but serve malicious artifacts as part of the attackers’ infection chains. One such example in this campaign is the malicious domain dsoi[.]info. This domain is a direct copy of the legitimate website of the Defence Service Officers’ Institute (DSOI) of India, created by cloning content using HTTrack, a free website copier program.
We’ve seen this tactic (cloning legitimate websites using HTTrack) used by Transparent Tribe in the past to deliver ObliqueRAT malware payloads around mid-2021.
Transparent Tribe commonly uses malicious artifacts against Indian targets, masquerading as legitimate applications maintained by the government of India. In September 2021, Talos disclosed Operation Armor Piercer, which consisted of the use of themes pertaining to the Kavach MFA application to spread commodity RATs. The SideCopy APT group also uses trojans such as MargulasRAT pretending to be a VPN application for India’s National Informatics Centre (NIC). This new campaign from Transparent Tribe also saw fake installers for the Kavach application being used to deploy CrimsonRAT and other malware.
The use of CrimsonRAT in operations such as these is expected of Transparent Tribe. It has been seen in the wild for years and is the tool of choice for the threat actors in campaigns that cast a relatively wide net for targeting their victims. This is unlike ObliqueRAT, which is used in highly targeted operations by Transparent Tribe.
The use of new bespoke malware in addition to the RATs indicates the group is diversifying their malware portfolio to achieve an even greater degree of success. In another common trend, we have also observed Transparent Tribe quickly develop and deploy bespoke, small and lightweight stagers and downloaders that can be modified with relative ease (and discarded if needed), leading to the deployment of their actual implants meant to provide long term access into their targets’ networks and systems.
Transparent Tribe has been a highly active APT group in the Indian subcontinent. Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage. The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT. They have continued the use of fake domains masquerading as government and quasi-government entities, as well as the use of generically themed content-hosting domains to host malware. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets.
Organizations should remain vigilant against such threats, as they are likely to proliferate in the future. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention. However, this should always be complemented by a good incident response plan which has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs: 59222-59223
The following ClamAV signatures available for protection against this threat:
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
Python based downloaders