Threat actors belonging to the notorious Transparent Tribe group have launched another cyber attack campaign, this time targeting Indian officials. They are using a Windows-based Remote Access Trojan named CrimsonRAT and creating backdoor targets among Indian governmental and military personnel.
Cisco Talos researchers are hot on the case. Here is an update they shared:
“Transparent Tribe has been a highly active APT group in the Indian subcontinent. Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage.”
Very recently, this Advanced Persistent Threat group, Transparent Tribe, had recently modified its malware toolset to include attacks on Android devices with a backdoor named CapraRAT. Sharp similarities have been observed between CapraRAT and CrimsonRAT, hence the suspicion that Transparent Tribe is the one behind this new tirade of backdoor attacks.
The Nuts and Bolts of CrimsonRAT
Cisco Talos researchers have explained in detail how CrimsonRAT is operating. It starts by using fake domains that have been spoofed from legitimate governmental (and related) email domains. By ‘borrowing’ these domains, Transparent Tribe is delivering malicious payloads to higher-level personnel belonging to the Indian government and military.
The payload includes a Python language stager that installs Microsoft .NET spyware and Remote Access Trojans. To do this, CrimsonRAT installs a bare .NET shell to run the malicious code.
Why does Transparent Tribe pose such a serious threat?
Transparent Tribe is known to constantly evolve their attack methods and toolsets. They also innovate the way they deliver their malicious code to their victims, through clever impersonations. Their payloads are embedded deep in installers for legitimate applications (the .exe files) that are incredibly tough to detect.
For instance, their malware is known to piggyback on the downloadables of Kavach (Hindi for Armour) which is Indian government’s mandatory 2FA solution for email services.
Moreover, there is deemed to be a political angle to their victimization as most of their targets are Indian officials and entities.
Victims are also at risk for future exposure as they don’t leave quietly, but rather create backdoors for further illegal access into the victim’s network. They use this for high-level governmental espionage activities, and CrimsonRAT seems to be their go-to malware toolset to do this. “The use of multiple types of delivery vehicles and new bespoke malware that can be easily modified for agile operations indicates that the group is aggressive and persistent, nimble, and constantly evolving their tactics to infect targets,” the Cisco Talos researchers said.