A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021.
"Transparent Tribe has been a highly active APT group in the Indian subcontinent," Cisco Talos researchers said in an analysis shared with The Hacker News. "Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage."
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
Last month, the advanced persistent threat expanded its malware toolset to compromise Android devices with a backdoor named CapraRAT that exhibits a high "degree of crossover" with CrimsonRAT.
The latest set of attacks detailed by Cisco Talos involves making use of fake domains that mimic legitimate government and related organizations to deliver the malicious payloads, including a Python-based stager used to install .NET-based reconnaissance tools and RATs as well as a barebones .NET-based implant to run arbitrary code on the infected system.
Besides continually evolving their deployment tactics and malicious functionalities, Transparent Tribe is known to rely on a variety of delivery methods, such as executables impersonating installers of legitimate applications, archive files, and weaponized documents to target Indian entities and individuals.
One of the downloader executables masquerades as Kavach (meaning "armor" in Hindi), an Indian government-mandated two-factor authentication solution required for accessing email services, in order to deliver the malicious artifacts.
Also put to use are COVID-19-themed decoy images and virtual hard disk files (aka VHDX files) that are used as a launchpad for retrieving additional payloads from a remote command-and-control server, such as the CrimsonRAT, which is used to gather sensitive data and establish long-term access into victim networks.
While CrimsonRAT is the "staple implant of choice" for the hacking crew to carry out espionage activities in campaigns that are meant to ensnare a wide swath of victims, the APT has also been observed deploying ObliqueRAT in "highly targeted attacks on government personnel and in operations where stealth is a prime focus of the attackers' infection chain."
The steady diversification of their malware portfolio notwithstanding, this is far from the first time Transparent Tribe has used legitimate applications maintained by the government of India as a lure.
In September 2021, Cisco Talos unmasked an overlapping campaign called "Operation Armor Piercer" that utilized themes centered around operational documents and guides pertaining to the Kavach app to deliver the Netwire and Warzone (AveMaria) trojans.
Another notable activity is a July 2021 campaign undertaken by a threat actor called SideCopy, which is known to strike government personnel in India using themes and tactics similar to that of the Transparent Tribe group to distribute its own set of malware payloads.
This constituted dropping a Golang-based module called Nodachi that's designed to conduct reconnaissance and steal files related to Kavach, with the end goal of siphoning access credentials from Indian government employees.
"The use of multiple types of delivery vehicles and new bespoke malware that can be easily modified for agile operations indicates that the group is aggressive and persistent, nimble, and constantly evolving their tactics to infect targets," the researchers said.