HQ/EMEAFind out how we can help your business
The Transparent Tribe threat group has continuously upgraded and put more weapons into its arsenal while adding new tools, tactics, techniques, and procedures (TTPs). This advanced persistent threat group, also known as APT36, has been active throughout this year with many custom malware strains, such as CrimsonRAT and ObliqueRAT.
According to researchers, its most recent activity is launching a malicious campaign involving a data exfiltration kit dubbed Limepad. The Pakistan-affiliated threat group heavily focuses on Indian government employees to disseminate the payload.
Malvertisement is the primary distribution tool used by Transparent Tribe hackers.
The researchers stated that the Transparent Tribe operators exploit Google advertisements to spread their malvertising campaign and distribute the trojanised versions of a 2FA solution called Kavach.
The actors control several third-party app stores and utilise them as a gateway to redirect targeted users to a hacker-registered domain that hosts the latest backdoored variants of applications connected to the Indian government.
Subsequently, Transparent Tribe hackers use the Limepad kit to steal and upload data from the compromised target to the attacker-controlled server. The Limepad developers created this tool to steal and transfer stolen data efficiently.
Th Limepad tool is modular and includes different Python archives created by the threat actors to assist the primary feature.
The APT36 threat group has registered multiple domains that spoof the Indian government and organisations’ websites to deploy their credential stealing and phishing campaigns.
The most well-known domain that the Transparent Tribe impersonates is the Kavach NIC’s (National Informatics Centre) login webpage. Once a user accesses this domain, the page would redirect them to another malicious domain only if they accessed it from a legitimate Indian IP address.
These specially developed phishing pages then send the stolen credentials to a remote server to be used by its operators for more attacks against government-related entities.
Experts claimed that the Limepad’s primary features reveal that it could become the malware that would be the first choice for threat groups soon since it can acquire long-term access to a targeted network.
Cybersecurity experts warn Indian entities that the Transparent Tribe hackers could pose more significant threats since they have utilised Limepad well enough despite it being in its in-development stage.
