New hacking campaign by Transparent Tribe Hackers targeting Indian officials


A threat actor of likely Pakistani origin has been attributed to another campaign designed to target targets of interest with a Windows-based remote access Trojan named CrimsonRAT since at least June 2021.

“Transparent Tribe has been a very active APT group in the Indian subcontinent,” Cisco Talos researchers said in an analysis shared with The Hacker News. “Their primary targets have been government and military personnel in Afghanistan and India. This campaign reinforces that targeting and their central goal of establishing long-term access for espionage.”

Automatic GitHub backups

Last month, the Advanced Persistent Threat extended its malware toolset to compromise Android devices with a backdoor codenamed CapraRAT that has a high “crossover degree” with CrimsonRAT.

The latest set of attacks detailed by Cisco Talos involves the use of fake domains that impersonate legitimate government and related organizations to deliver the malicious payloads, including a Python-based stager used to install reconnaissance tools and RATs .NET-based as well as a .NET-based barebones Implant to execute arbitrary code on the infected system.

Transparent Tribal Pirates

Besides continuously evolving their deployment tactics and malicious features, Transparent Tribe is known to rely on a variety of delivery methods, such as executables masquerading as installers of legitimate applications, archives and weaponized documents to target Indian entities and individuals.

Prevent data breaches

One of the downloader’s executables masquerades as Kavach (meaning “armor” in Hindi), an Indian government-mandated two-factor authentication solution required to access email services, in order to deliver the malicious artifacts.

Also used are COVID-19 themed decoy images and virtual hard disk files (aka VHDX files) which are used as a launching pad to fetch additional payloads from a command and control server at remote, such as the CrimsonRAT, which is used to collect sensitive data and establish long-term access to victim networks.

“The use of multiple types of delivery vehicles and new bespoke malware that can be easily modified for agile operations indicates that the group is aggressive and persistent, nimble and constantly evolving its tactics to infect its targets,” they wrote. said the researchers.


About Author

Comments are closed.