Transparent Tribe, aka APT36, is a Pakistan-based threat actor active since at least 2013. While it is not very advanced, the group keeps updating its operational strategies. SentinelLabs spotted a new campaign by APT36, which has been targeting the Indian education sector with Crimson RAT.

Diving into details

Transparent Tribe propagates education-themed malicious Office documents that stage Crimson RAT using macros or OLE embedding.
  • The macro code is executed once the documents are opened. Some macros also insert education-themed text related to India in the document.
  • The OLE embedding technique involves luring users to double-click an image in the document to view locked content, which triggers an OLE package storing and executing Crimson RAT disguised as a Microsoft update process. 

Beware of Crimson RAT

Crimson RAT variants use diverse obfuscation techniques, such as function name malformation and dynamic string resolution. 
  • One sample, named NewOrleans, employs the Eazfuscator obfuscator. Evidence indicates that Crimson RAT developers have patched the routine that evaluates the trial period of Eazfuscator to allow the malware to execute even after the trial period has expired.
  • It is to be noted that previous Crimson RAT strains employed Crypto Obfuscator, and the addition of Eazfuscator highlights that APT36 is continuously maintaining and developing the RAT. 

Transparent Tribe - into the recent past

  • In March, an APT36 campaign was found targeting Indian and Pakistani Android users. The attackers used a honey-trap romance scam to distribute CapraRAT backdoors.   
  • SideCopy, a sub-division of Transparent Tribe, only targets Indian defense and armed forces personnel. The threat cluster, in March, targeted India’s DRDO to plant info-stealer malware.  

The bottom line

What it lacks in sophistication, APT36 makes up for it with its persistence and regular updates to its targets, operational playbook, and malware arsenal. The group has long been targeting different sectors in India. Hence, vigilance and robust cyber defense strategies are necessary.
Cyware Publisher

Publisher

Cyware