Transparent Tribe APT Hackers Target Indian Officials & Military

A threat actor of likely Pakistani origin has been attributed to another Windows-based remote access Trojan named CrimsonRAT. The malware is at least six months old and was first reported back in late June.

The name Transparent Tribe might sound familiar to some of you. Cisco Talos has been investigating this group for a while and found that they have been acting as a highly active APT in the Indian subcontinent region. They have been targeting government and military personnel in Afghanistan and India for espionage. The campaign revealed today furthers their target list and central goals, establishing them as a long-term threat to these areas.

Recently, the advanced persistent threat took its malware tools to Android devices with a new backdoor named CapraRAT. This tool is high on crossover with CrimsonRAT.

Cisco Talos recently discovered that the latest set of cyberattacks involved making use of fake domains to deliver malware payloads, including a Python-based stager that installs .NET-based reconnaissance tools and RATs.


Image Credits: Talos

Transparent Tribe is known to use a variety of delivery methods, including executables impersonating installers of legitimate applications and archives to target Indian entities and individuals.

One of the malicious executable downloads poses as a legitimate Indian government-mandated two-factor authentication solution called Kavach the two-factor authentication solution is required for accessing email services in India.

Additionally, there are COVID-19-themed decoy images and virtual hard disk files (VHDX files) that are used as a launchpad for retrieving additional payloads from a remote command-and-control server. For example, CrimsonRAT is often used to gather sensitive data and establish long-term access to victim networks.

Researchers said that a few new pieces of malware have been deployed by the group that does not rely on executable files and that they have also created a new payload delivery methodology. They say this means that the actors are persistently evolving their tactics and are constantly looking to infect new targets.