HQ/EMEAFind out how we can help your business
The Pakistani malicious threat group, Transparent Tribe (APT36), has been targeting different entities for nearly a decade. The group has constantly been upgrading its functionalities despite not being a sophisticated cybercriminal operation. However, recent reports claimed the group is eyeing the Indian academic sector as its new target.
Moreover, some researchers claimed that the group has started infecting Indian organisations with Crimson RAT.
The Transparent Tribe uses malicious documents that include a remote access trojan.
According to investigations, the Transparent Tribe threat group spreads the Crimson RAT using malicious macros or OLE embedding strategy. Next, the group executes the macro code once a target opens the documents.
The group also included some macros that have education-themed text related to India in the document to diversify their campaigns.
On the other hand, the OLE embedding technique includes lures that targeted users could double-click in the document to view locked content. Once the user accesses the content, it will activate an OLE package that stores and executes the Crimson RAT.
The Crimson RAT variants utilise several obfuscation tactics, like dynamic string resolution and function name malformation.
One example, NewOrleans, adopts the Eazfuscator, an obfuscation tool. Evidence of that sample showed that the Crimson RAT authors had updated their tool’s routine to assess the trial period of the obfuscator to enable the malware to run even after the trial period expires.
Researchers also noted that the past Crimson RAT versions adopted the Crypto Obfuscator. Hence, the Transparent Tribe group have utilised several obfuscator tools for their attack execution.
Last month, cybersecurity experts discovered a Transparent Tribe campaign that targeted Pakistani and Indian Android users. The threat actors employed a honey-trap romance scam to spread the CapraRAT backdoors.
This malicious threat group lacks sophistication but makes up for it with constant upgrades and persistence in its targets. Furthermore, the group has continuously expanded its malware arsenal and operational playbook to make attacks more potent.
The group has long been targeting different organisations in India. Therefore, these entities should remain vigilant and employ more competent cybersecurity defences to avoid getting attacked by these campaigns.
