of transparent tribe The threat actor has been linked to a series of Microsoft Office documents weaponized in an attack targeting the Indian education sector using a continuously maintained malware called Crimson RAT.
The suspected Pakistan-based threat group is known for targeting the country’s military and government entities, but has since expanded its activities into the education sector.
Also known as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, this hacking group has been active since 2013. Since late 2021, educational institutions have been under attack by attackers.
In a report shared with The Hacker News, SentinelOne researcher Aleksandar Milenkoski said, “The Crimson RAT is a consistent staple in the group’s malware arsenal used by adversaries in their campaigns.”
This malware has the ability to exfiltrate files and system data on attacker-controlled servers. It also has the ability to capture screenshots, terminate running processes, download and execute additional payloads, record keystrokes, and steal browser credentials.
Last month, ESET believed that the Transparent Tribe was involved in a cyber espionage campaign aimed at infecting Android users in India and Pakistan with a backdoor called CapraRAT.
Analysis of the Crimson RAT sample revealed the presence of the word “Wibemax”, corroborating previous reports from Fortinet. Although the name matches that of a Pakistani software development company, it is not immediately clear if it is directly related to the attackers.
However, it is worth noting that Transparent Tribe has previously used infrastructure operated by a web hosting provider called Zain Hosting to target India’s education sector.
The documents analyzed by SentinelOne have educational themed content and names like Assignment or Assignment-10 and utilize malicious macro code to launch the Crimson RAT. Another method involves staging malware using OLE embedding.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
Save my seat!
“A malicious document that implements this technique requires the user to double-click on the document element,” explains Milenkoski. “These documents distributed by Transparent Tribe typically display an image (a ‘document view’ graphic) indicating that the contents of the document are locked. “
This tricks the user into double-clicking the graphic to view the content, activating an OLE package that saves and runs the Crimson RAT under the guise of an update process.
Crimson RAT variants have also been observed to delay execution for specific times ranging from 1 minute to 4 minutes, not to mention implementing various obfuscation techniques using tools such as Crypto Obfuscator and Eazfuscator. .
“Transparent Tribe is a highly motivated and relentless threat actor who regularly updates its malware arsenal, operational strategies, and targets,” said Milenkoski. “The Transparent Tribe’s ever-changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group.”
