Fraud and cybercrime management, social engineering
The Pakistan-linked APT group uses Spear-Phishing to plant information-stealing malware
Jayant Chakravarty (@tweet) •
April 14, 2023
A suspected Pakistani spy threat actor that relies on phishing emails to lure victims is expanding into the education sector after years of focusing on the Indian military and government.
Security research from Sentinel Labs He says The group followed by the name Transparent Tribe, also known as APT36 And Earth is a rhinocerosIt uses malicious documents with Crimson RAT malware to target Indian teachers and students.
Enticement includes content with an educational theme and names such as “Mission”. The researchers said that indicators pointing to the transparency of the tribe as the threat actor include the use of Crimson RAT, “a consistent staple in the group’s arsenal of malware”. This latest phishing campaign also uses file hosting service domains associated with the group, such as
Aleksander Milenkowski, a senior threat researcher at Sentinel Labs, told Information Security Media Group that APT36 began targeting educational institutions in the Indian subcontinent in July 2022. He said the domain used by the attackers as a command and control server was still active. .
Transparent Tribe’s intention is to target as many organizations and individuals as possible within the educational sector, Milenkoski said, as evidenced by its use of scam emails and fake websites to lure students and research institutions.
“Unfortunately, we cannot accurately estimate the total number of affected individuals and organizations, and we are not free to discuss details about the affected organizations,” he said.
Cybersecurity startup Cyble in March attributed a campaign targeting Indian defense researchers to SideCopy APT, a group it said “shares characteristics with Transparent Tribe (APT36) and could be a subset of this threat actor” (see: SideCopy APT targets India’s premier defense research agency). Cyble said that SideCopy APT used spearphishing to obtain entry materials and raw research as a decoy to plant a type of information-stealing malware, Action Rat Malware.
Crimson RAT is a .NET-based Remote Access Trojan that features in nearly every APT36 campaign and enables attackers to maintain long-term access to victim networks, Cisco Talos books in 2022.
The malware includes a keyboard logger, runs arbitrary commands and sends system information to a command and control server.
According to Sentinel Labs, in previous campaigns attackers used Microsoft Office macros to download Crimson RAT, but the company noted that attackers have shifted to using an OLE embed that displays an image and requires users to double-click it to download an attachment. Once the user performs this action, the active OLE package stores and executes the Crimson RAT, which masquerades as a Microsoft update process.