The Transparent Tribe APT (also known as APT36 and Mythic Leopard) has evolved its lures, started targeting new victims, and added a new malware to its toolkit.
The group is known for its information theft and espionage campaigns against Windows devices. It has been around since 2013 targeting primarily Indian military and defense personnel with the CrimsonRAT malware.
Cisco Talos researchers said on Thursday the group, in addition to CrimsonRAT, is now deploying the ObliqueRAT.
“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” said Cisco Talos researchers Asheer Malhotra, Justin Thattil, and Kendall McKay. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”
ObliqueRAT is a remote access Trojan active since November 2019. It can exfiltrate various information, such as system data, a list of drives and running processes. Malhotra said that the use of ObliqueRAT allowed the threat group to “become more and more lethal.”
Researchers do not know for sure how Transparent Tribe distributes maldocs to victims, but most likely via attachments in phishing emails. based on the threat actor’s previous behaviors and the targeted nature of the lure. Previously, the group would deliver maldocs that contained VBA macros that extracted either the CrimsonRAT or a ZIP archive from the maldoc.
In more recent campaigns, the attackers hosted their malicious payloads on compromised websites rather than embedding them in the document, so that their attack chain appeared more legitimate.
Transparent Tribe uses fake domains that mimic legitimate Indian military and defense organizations, but also hosting and file-sharing websites – drivestransfer[.]com and file-attachment[.]com.
The maldocs lures for the attacks have changed as well. The attackers moved from using popular news topics to primarily distributing military-themed maldocs that mimicked logistical or operational documents.
“These examples highlight Transparent Tribe’s heavy reliance on social engineering as a core TTP and the group’s efforts to make their operations appear as legitimate as possible,” said researchers.
While still primarily targeting military and defense personnel, the group has expanded to other organizations: diplomatic entities, research organizations, defense contractors, and conference attendees. One maldoc looked like an agenda for a panel series by the Heart of Asia Society 2020.
Malhotra believes that the Transparent Tribe group will continue to evolve its toolkit, stealth mechanisms, and social engineering tactics to infect high-value victims in military and defense sectors.