Pakistan-based Transparent Tribe Hacker Targets Indian Educational Institutions
That Transparent Tribe Threat actors have been linked to a suite of Microsoft Office documents armed in an intrusion directed against India’s education sector to spread a well-maintained malware called Crimson RAT.
While the allegedly Pakistan-based threat group is known to target military and government entities in the country, its activities have expanded to include the education vertical.
The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active since 2013. Educational institutions have been receiving enemy attacks since late 2021.
“Crimson RAT is consistent tree in that group malware repository used by the enemy in his campaign,” SentinelOne researcher Aleksandar Milenkoski said in a report shared with The Hacker News.
The .NET malware has the function of extracting system files and data to an actor-controlled server. It’s also built in with the ability to capture screenshots, terminate running processes, and download and execute additional payloads to log keystrokes and steal browser credentials.
Last month, ESET linked Transparent Tribe to a cyber espionage campaign aimed at infecting Indian and Pakistani Android users with a backdoor called CapraRAT.
Analysis of the Crimson RAT sample reveals the presence of the word “Wibemax”, which corroborates a previous report from Fortinet. Although the name fits the Pakistani software development company, it was not immediately clear whether it had any direct links to the threat actor.
That said, it should be noted that Transparent Tribe has in the past utilized the infrastructure operated by a web hosting provider called Zain Hosting in attacks targeting India’s education sector.
Documents analyzed by SentinelOne display educational-themed content and names such as assignment or Assignment-no-10, and use malicious macro code to launch the Crimson RAT. Another method involves using OLE embedding to stage malware.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
“Malicious documents that employ this technique require the user to double-click elements of the document,” Milenkoski explained. “These documents distributed by Transparent Tribe typically display an image (‘View Document’ graphic) indicating that the document content is locked.”
This, in turn, tricks the user into double-clicking the graphic to view the content, thereby activating the OLE package that stores and runs the Crimson RAT incognito as an update process.
Variants of the Crimson RAT have also been observed to delay their execution for specific periods of time that range between one minute and four minutes, not to mention applying different obfuscation techniques using tools such as Crypto Obfuscator and Eazfuscator.
“Transparent Tribe is a highly motivated and persistent threat actor who regularly updates its malware arsenal, operational guidelines and targets,” said Milenkoski. “Transparent Tribe’s constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group.”