Transparent Tribe Hackers Targeting Indian Educational Institutions
The renowned Crimson RAT virus was recently found to be distributed by a number of infected Office files.
The renowned Transparent Tribe organization (also known as APT36), which has actively targeted India’s educational system, is known for using this RAT.
This organization is believed to be based in Pakistan and has been operating since 2013. In addition, Transparent Tribe continually modifies its operational strategy, which makes it not very clever but quite persistent.
Transparent Tribe, which has previously focused its attacks on the Indian military and government people, has changed its target of the attack.
However, it has been noted that they have recently expanded their goal to include educational institutions in the Indian subcontinent and the students that attend them.
Crimson RAT is a constant in the malware arsenals of the enemy utilized in the group’s missions.
Transparent Tribe’s documents are created to appear to be educational materials.
- Assignment
- Assignment-no-10
While the creation dates on all of these documents range from July to August 2022. It’s believed that email phishing campaigns were used to spread the infected Office documents that included the Crimson RAT to its intended victims.
A number of hosting providers have been utilized by threat actors to host some harmful documents.
The owners of this group not only used hosting services, but they also made some domains like:
- fileditch[.]ch
- cloud-drive[.]store
- drive-phone[.]online
Technical Analysis of the Crimson RAT
SentinelLabs’ analysis of the malicious files linked to the Crimson RAT revealed that the attack strategy entails setting up the RAT using:
- Microsoft Office macros
- OLE embedding
The Crimson RAT distribution uses macros that can construct and decompress an embedded archive file in the locations listed below:
- %ALLUSERSPROFILE%
Although this is often seen at:
- C:\ProgramData
The macros carry out the Crimson RAT payload after unpacking this archive file. There are macros that add text to the document; this text mainly refers to education and, in some circumstances, India.
In addition to using macros to stage Crimson RAT, Transparent Tribe has also used OLE embedding. Some elements of malicious documents that use this technique need users to double-click. When Transparent Tribe distributes a document, it displays a picture as a graphic labelled “View Document.”
See more: Hacktivist Indonesia claims to have attacked 12k Indian websites
Transparent Tribe entices naïve viewers to interact with it by double-clicking by displaying the “View Document” icon. However, this step starts an OLE package that stores and runs the Crimson RAT, which is a malicious update process posing as “MicrosoftUpdate.exe.”
Characteristics of the Crimson RAT
We have listed all of Crimson RAT’s essential characteristics below:-
- system information leakage
- snap pictures of
- launch procedures
- Stop operations
- list the files
- Drives are listed.
See more: Latitude Group takes a stand against ransom demanded by cyber attackers
Overall, a thorough examination of the group’s tactics reveals a distinct propensity for using OLE embedding to spread malware from enticing documents.
The group has also adopted the Eazfuscator obfuscator to protect their Crimson RAT implementations. This demonstrates their unique strategy for assuring the effectiveness and stealth of their operations.
Author: Sayyam Gangwal
We hope you found article interesting. For more exclusive content follow us on Facebook, Twitter and LinkedIn