Like fraud or espionage? Transparent Tribe lured Indian and Pakistani officials

Campaign overview

In addition to the built-in work chat functionality of the original, legitimate app, the trojan version includes malicious code that we have identified as the CapraRAT backdoor. Transparent Tribe, also known as APT36, is a cyber espionage group known to use CapraRAT; we have also seen similar decoys deployed against its targets in the past. The backdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and extracting other sensitive information. Backdoors can also receive commands to download files, make calls, and send SMS messages. The campaign is narrowly targeted, and there’s nothing to indicate that this app was ever made available on Google Play.

We identified these campaigns when analyzing posted samples Twitter which is interesting because of the matching snort rules for CrimsonRAT and AndroRAT. Snort rules identify and warn of malicious network traffic and can be written to detect certain types of attacks or malware.

CrimsonRAT is Windows malware, only known to be used by Transparent Tribe. In 2021, the group started targeting the Android platform, using a modified version of the open source RAT called AndroRAT. It bears a resemblance to CrimsonRAT, and is named CapraRAT by Trend Micro at his research.

MeetApp

Based on the Android Package Kit (APK) name, the first malicious application was branded MeetsApp and claimed to provide secure chat communication. We were able to find a website where this sample can be downloaded (meetapp(.) org); see Figure 1.

Figure 1. The website of the CapraRAT distribution masquerading as MeetsApp

That page’s download button leads to an Android app of the same name; Unfortunately, the download link is no longer active (https://phone-drive(.)online/download.php?file=MeetsApp.apk). At the time of this research, phone-drive(.)online resolved for 198.37.123(.)126which is the same IP address as phone-drive. online. geo-news(.) tvused in the past by Transparent Tribe to contain the spyware.

Meet

Analysis of the MeetsApp distribution website shows that some of its resources are hosted on other servers with similar domain names – meet-up-chat(.) com – use a similar service name. The site also provides an Android messaging app, MeetUp, for download under the same package name (com.meetup.app) whereas for MeetsApp, and has the same website logo, as can be seen in Figure 2.

Figure 2. The distribution site CapraRAT masquerading as MeetUp

Attribution to the Transparent Tribe

Both apps – from tweets and from samples downloaded from meet-up-chat(.) com – include the same CapraRAT code, communicate with the same C&C server (66.235.175(.)91:4098), and the APK file is signed using the same developer certificate.

Therefore, we firmly believe that both websites are created by the same threat actor; both domains were registered at almost the same time – July 9th^th and July 25^th2022.

Both apps are based on the same legitimate code trojaned with the CapraRAT backdoor code. The messaging function appears to have been developed by a threat actor or discovered (possibly purchased) online, as we were unable to identify its origin. Before using the app, victims need to create an account that is linked to their phone number and requires SMS verification. Once this account is created, the app requests further permissions that allow full backdoor functionality to work, such as accessing contacts, call logs, SMS messages, external storage, and recording audio.

Domain phone-drive(.)online where a malicious MeetsApp APK was placed started resolving to the same IP address around the same time as the domain phone-drive. online. geo-news(.) tv which was used in past campaigns controlled by the Transparent Tribe, as reported by Cisco. In addition, the malicious code from the analyzed samples was seen in the previous campaigns reported by Micro Trends where CapraRAT is used. In Figure 3 you can see a comparison of the dangerous class names of CapraRAT available from 2022-01 on the left side, and the latest variants have the same class names and functions.

Figure 3. Comparison of dangerous class names of old CapraRAT (left) and newer versions (right)

Victim

During our investigation, weak operational security resulted in the disclosure of some victim data. This information allowed us to geolocate more than 150 victims in India, Pakistan, Russia, Oman and Egypt, as seen in Figure 4.

Figure 4. Distribution of victims

Based on our research, potential victims were persuaded to install the app via a honey trap romance scam operation, where they were likely first contacted on a different platform and then coaxed into using a “safer” one. MeetApp or Meet application. We have previously seen such decoys used by Transparent Tribe operators against their targets. Finding a cell phone number or email address they can use to make their first contact is usually not difficult.

Technical analysis

Early access

As described above, which is dangerous Meet application is available at meet-up-chat(.) comand we believe with high confidence that it is dangerous MeetApp available in meetapp(.) org. No apps will be installed automatically from this location; victims must choose to download and install the application manually. Considering that only a handful of individuals were compromised, we believe that potential victims are highly targeted and cajoled into using romance schemes, with the operator Transparent Tribe most likely establishing first contact via another messaging platform. After gaining the victims’ trust, they suggest moving to another – supposedly more secure – chat application available on one of the malicious distribution websites.

There’s no subterfuge to suggest the app is available on Google Play.

Device

Once the victim logs into the app, the CapraRAT then starts interacting with its C&C server by sending basic device info and waiting to receive commands to execute. Based on this command, CapraRAT is capable of exfiltrating:

• call logs,
• contact list,
• message,
• recorded phone calls,
• ambient audio recording,
• Screenshot taken by CapraRAT,
• Photo taken by CapraRAT,
• list of files on device,
• specific files from the device,
• device location,
• list of running applications, and
• text all notifications from other apps.

It can also receive commands to download files, launch any installed application, kill any running application, make calls, send SMS messages, intercept received SMS messages, and download updates and ask the victim to install them.

Conclusion

The mobile campaign operated by Transparent Tribe is still active, presenting itself as two messaging apps, used as cover to distribute its Android CapraRAT backdoor. Both applications are distributed via two similar websites which, by their description, provide secure messaging and calling services.

Transparent Tribe might use the bait of an amorous scam to lure victims into installing the app and continue to communicate with them using the malicious app to keep them on the platform and make their devices accessible to attackers. CapraRAT is controlled remotely and based on commands from the C&C server, CapraRAT can extract any sensitive information from its victim’s device.

The operator of this application has poor operational security, so the victim’s PII is exposed to our researchers, on the open internet. Because of this, it was possible to get some information about the victims.

IoC

Files

Network

MITER ATT&CK technique

This table was created using version 12 MITER ATT&CK framework.