Transparent Tribe campaign targeting Indian government officials

The hacking campaign has spread backdoor malware to targets since June 2021

New hacker campaign discovered to spread new RAT malware

Threat actors most likely linked with Pakistanian hackers groups released another backdoor malware campaign. The malware is a Windows-based remote access trojan named CrimsonRAT.^[1] Reports state that the Transparent Tribe group is an active APT running attack in the Indian subcontinent.^[2]

Researchers^[3] state that the primary targets of the hacker group have been government and military personnel in India and Afghanistan. The main goal is establishing long-term access to networks and espionage, but the particular campaign shows further movement besides this common goal.

Recently the malware tools used by this group got improved, and Android devices can now be attacked using CapraRAT malware that shares multiple crossover features with the CrimsonRAT.^[4] These latest attacks involve the use of various domains mimicking legitimate government sites.

Malicious payload delivered via legit site copies

Cisco Talos research group discovered these new campaigns from Transparent Tribe hackers that target Indian government and military entities. Hackers use RAT malware^[5] and stagers, implants to achieve their attack goals. The long-going campaign mimics particular legitimate government and related organization sites to deliver the malware files. This is a common method for this group.

The group has managed to alter its distribution methods over the last year. Various new methods got incorporated to help actors to affect more victims. Various stagers, downloaders, other small malware can be easily modified and quickly added to these malicious operations.

The Python-based stager used by the attackers is used to install .NET-based reconnaissance tools besides those RAT malware. These methods allow the virus to run arbitrary code on the targeted network or system. The group is known for changing malicious tactics and malware functionalities, so Transparent Tribe relies on executables impersonating installers of legit applications, archive files, weaponized documents.

Targets: Indian entities and individuals

Transparent Tribe is the suspected Pakistan-linked threat actor, and the group mainly targets individuals and entities associated with governments and military personnel in India. It is known that the same group released their CrimsonRAT implant targeting particular human rights activists in Pakistan regions.

The latest variants of downloaders mimic the installer for the Kavach and deliver malicious files to targeted systems. This app is used by various government personnel because it allows employees to access IT resources of the Indian government, like email services. Military personnel also use the app for this.

Campaigns also use the COVID-19 theme images to launch the vector for retrieving other malware payloads from remote servers. Then backdoors and RATs can be used to gather sensitive data and ensure long-term accession to the targeted systems.

The ever-changing tactics of the threat actor group allow them to change tactics and spread continuously. Transparent Tribe hacker group uses legitimate applications used by the government of India as a trick to lure people. The group is persistent and aggressive, all the techniques allow the malware to be modified easily, so the tactics help quickly and successfully target and infect machines.