APT36 Sharpens Tools While Focusing on New Targets

Transparent Tribe aka APT36, a Pakistan-based APT group, is known for surveillance and spying government and military organizations in India and Afghanistan. Recently, they have been observed further enhancing their arsenal with new toolkits and tactics.

What happened?

According to a Kaspersky report, the group usually prefers to stick to the same set of tactics, techniques, and procedures (TTPs), with occasional use of new programs for specific campaigns.
  • The report suggests that the threat actor has been gradually paddling up its activities, with massive infection campaigns and using new tools to target Afghanistan.
  • Though it usually deploys a custom .NET malware known as Crimson RAT, it was seen developing and using other custom .NET malware, and Python-based Peppy RAT.
  • Between June 2019 and June 2020, over 200 samples of Transparent Tribe Crimson components have been detected.

Modus operandi

  • The attackers use spear-phishing emails containing a Microsoft Office attachment. The document is loaded with Crimson RAT which, upon execution, can steal files, capture screenshots and key logs, harvest credentials stored in browsers, and control microphones and webcams.
  • It also uses USBWorm, a dual-purpose malware that can act as a file stealer for removable drives as well as a worm that can hop across the network to find new vulnerable machines.

Recent attacks

  • In June, intelligence agency sources confirmed that APT36 actors stole data from the Indian Railways and stored it in foreign locations.
  • In March, the group was seen using spear-phishing emails pretending to be an official communication from the government of India.

In essence

During the last 12 months, researchers have observed a broad campaign by Transparent Tribe APT against military and diplomatic targets. They don’t expect any slowdown in threats from this group in the near future and would continue to monitor its activities.