Transparent Tribe hackers target Indian government entities

The Transparent Tribe hackers are back with a vengeance, this time targeting India’s government and military entities with a new malware arsenal.

Transparent Tribe, also known as APT36 and Mythic Leopard, is an advanced persistent threat (APT). Active since 2013, it operates in 30 countries and continues to create fake domains mimicking legitimate military and defense organisations as a core component of their operations.

Transparent Tribe is suspected to be of Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021.

"Transparent Tribe has been a highly active APT group in the Indian subcontinent," Cisco Talos researchers said in an analysis. "Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage."

The past themes included topics such as Covid-19, the APT moves with times and adapts various traits and trends. The latest samples include a fake version of Kavach, an Indian government-mandated two-factor authentication solution required for accessing email services, in order to deliver the malicious artifacts. 

In the latest campaign conducted by the threat actor, Cisco Talos researchers observed multiple delivery methods, delivery vehicles and file formats indicating that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT, alongside two previously unobserved strains of malware.

These infection chains led to the deployment of other variants such as a previously unknown Python-based stager that leads to the deployment of NET-based reconnaissance tools and RATs that run arbitrary code on the infected system.

They have continued the use of fake domains masquerading as government and quasi-government entities, as well as the use of generically themed content-hosting domains to host malware. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets.

"The use of multiple types of delivery vehicles and new bespoke malware that can be easily modified for agile operations indicates that the group is aggressive and persistent, nimble, and constantly evolving their tactics to infect targets," the researchers said.

Last month, the advanced persistent threat expanded its malware toolset to compromise Android devices with a backdoor named CapraRAT that exhibits a high "degree of crossover" with CrimsonRAT, which is used to gather sensitive data and establish long-term access into victim networks, the researchers said.