Operational Methodologies of Cyber Terrorist Organization “Transparent Tribe”
Hola Hackers, Today we are going to discuss about the Cyber Terrorist organization called Transparent Tribe which operates from Pakistan.
In this Research blog we will discuss about the History, Tactics, Techniques and Procedures of the Transparent Tribe.
Let’s Start,
Transparent Tribe is the Cyber Terrorist organization which is founded in the year 2013, this organization has many names like Mythic Leopard, ProjectM, Copper FieldStone and APT36. The prime target of this group is Indian Army officers, Diplomats, Research Institutes and Law enforcement officers. From past 2016 this group is more active targeting on Indian Entities.
Transparent Tribe uses the Remote Access Trojan(RAT) called Crimson RAT it is developed and maintained by the group. From recent years the group started to implement the new techniques like ObliqueRAT and social engineering methods. In May 2021 CISCO Talos Intelligence group submitted the research report on transparent tribe organization that they are adding the ObliqueRAT to their Windows malware arsenal.
The group uses the social engineering method to inject the malware into the victim’s system, they create the fake domains related to Indian Army and other organizations by mimicking the domains like example: claws[.]in (legit domain name) and the malicious one claws[.]com. The legit website claws[.]in is an independent think tank which covers national security issues and also focuses on military developments.
There are also many operational methods used by the Transparent Tribe to infect the Indian Army personnel’s, like posting the articles related to Indian Army on various websites these articles contains malicious malware, when the user clicks on the hyper link which leads to download the famous “CrimsonRAT” which is maintained and developed by the group.
Below there are some articles headlines and images used by the Transparent Tribe posted on “Indian News Tribe” which was created by Transparent Tribe group.
1) 4 Sikh Army Officers being trialed in military court on alleged involvement with KLF
2) Seventh pay commission recommends overall hike of 23.55%.
3) Seniors Juniors and coursemates please take a serious note about it.
After the “Pathankot attack” on 2016 the Transparent Tribe group started the Phishing campaign against the Top officials of the Indian Army and also on other organizations. They basically send the .mp3 format audio or .pdf document or videos which contains malicious payloads and they send the malicious documents to the victims email address.
Here are the some of the Indicator Of Compromises (IOC’s) used by the Transparent Tribe organization.
1) IP Address of Command and Control Servers
5.189.143[.]225
5.189.167[.]65
80.241.221[.]109
93.104.213[.]217
193.37.152[.]28
213.136.87[.]122
2) Malicious Domains
applemedia1218[.]com
bluesync2121[.]com
student3347[.]mooo[.]com
onlinestoreonsale[.]com
winupdatess[.]no-ip[.]biz
In the recent days there was a similar Espionage Campaign conducted against the Indian Army Officers, the Espionage campaign was more sophisticated and well organized, the Threat Actor group made a malicious clones of the Indian Army applications “ARMAAN and Hamraaz” these legit social applications were developed by the Indian Government for Army Personnel’s these applications provide the salary information, you can download the payslip and also provides the various information and it is only used by the Indian Army Personnel’s.
These two malicious cloned applications “ARMAAN” and “Hamrazz” were hosted on the “armaanapp[.]in” and “hamraazapp[.]com” by the Threat Actor group, when the victim requests to download the application from the above websites the malicious applications will be downloaded to the victim devices based on the “user-agent”. Only the malicious applications will be downloaded to the Android Devices and the non malicious application will be downloaded to the PC users. This technique is used to avoid the detection.
This was identified by the CloudSEK Threat Hunting Team, but they didn't mentioned the Threat Actor group which is behind the campaign.
As per our analysis this Espionage Campaign was conducted by the Transparent Tribe group, because the techniques and operational methodologies are very similar to the previous attacks conducted by the Transparent Tribe group against the Indian Army Personnel’s.
All these attacks by Cyber Terrorists are just a tip of iceberg, there is more to detect and investigate.
If you liked the content hit the Follow button and every week ill post informative and amazing content make sure to follow on“Linked-in & Twitter”.
