Zooming in on Transparent Tribe
The APT group, Transparent Tribe, has not taken a break in the last four years and continues to attack military and government personnel in India. From enhancing operations and starting massive espionage campaigns to developing new tools and shifting its focus to Afghanistan, the group has undergone tremendous evolution.
Operations filled with admirable craftsmanship
- Over the years, the TTPs used by the group have remained consistent, and they have been persistent in employing certain tools and creating new programs for different espionage campaigns. As an infection vector, they mostly prefer malicious documents with an embedded macro.
- Primarily, Transparent Tribe deploys a custom .NET Remote Access Trojan (RAT) malware commonly known as Crimson RAT. However, over the years, researchers have observed the use of a Python-based RAT known as Peppy and other custom .NET malware.
- A new USB attack tool, USBWorm, has also been designed by Transparent Tribe. The tool is made up of two key components—a file stealer for removable media and a worm feature for moving to vulnerable systems.
Alive and intact
- After tracking Transparent Tribe for over four years, Kaspersky’s recent research suggests that the group has been working on upgrading its toolset and diversifying its operation—which now entails mobile threats. The cybersecurity vendor has discovered a new Android spyware that utilizes explicit content and COVID-19-related information to install a RAT on mobile devices.
- The Transparent Tribe operators have designed a new tool to infect USB devices for surveillance and spying on government and military personnel in India and Afghanistan. The group starts the attack chain by sending spearphishing emails attached with malicious Microsoft Office documents comprising an embedded macro that deploys a Crimson RAT.
Kaspersky's new evidence confirms a connection between the Transparent Tribe and ObliqueRAT, another malicious RAT family. Some samples of ObliqueRAT—discovered by Cisco Talos—were found to be distributed via malicious documents enclosed with macros that resembled those utilized for spreading Crimson RAT.
In the last 12 months, Transparent Tribe has conducted a huge campaign against diplomatic and military personnel to relentlessly spy on them. With the discovery of its new custom malware tools, researchers do not expect a downturn in the group’s operations anytime soon.