cyber attack

Transparent Tribe’s Cyber Attack Against Indian Healthcare

Rsearchers have monitored the use of information related to the epidemic by the Transparent Tribe group to conduct targeted attacks on the Indian medical industry to steal intelligence.

Transparent Tribe (transparent tribe) alias APT36, ProjectM, C-Major, is an APT group with a South Asian background. It has been found that USB worms spread widely.
The transparent tribe’s activities in the second half of 2019 have been targeted at Afghanistan, and in 2020, it will again be targeted at India. Around January 2020, it launched attacks on Indian targets with job recruitment and military themes. 2020-03 Around the month, a new round of cyber attacks was launched against targets in India and Afghanistan with related information such as electronics, national defense, security, and resumes.
Since the outbreak of the new crown virus, a large number of APT groups have used information related to the epidemic to conduct targeted attacks. This group is no exception. Around April 2020, the group launched targeted attacks on targets in India with malicious documents about the epidemic. At the same time, the Transparent Tribe also launched a large-scale USB virus infection attack, and related have enhanced its attack operations in Afghanistan. Its undisclosed usbworm components have also been confirmed for the first time.

The decoy document involved in this attack is in the form of a ZIP package, which contains a shortcut disguised as a PDF. After the attacker persuades the target to click the lnk shortcut file, the lnk file will call mshta.exe to load the hta hidden in the remote web page. script. The webpage where the hta malicious code is implanted is shown in the following figure:

transparent tribe

The Hta file will decode and execute the internally stored -encoded string. The malicious code calls net serialization to load the DraftingPad module, and calls the PinkAgain function to release the file to the specified folder. At the same time, the wmi service is called to obtain a list of names of antivirus software installed inside the machine, and then different RATs are released according to the list. Finally, open the file stored in Google Docs and show it to the user, confuse the user to open the real document, and reduce the user’s vigilance. The following picture shows the COVID document displayed. The relevant document subject is a PDF document forged by the attacker with the help of the recent hot spot of the new crown vaccine.

transparent tribe

The exe released at the end of the attack is a backdoor Trojan that can communicate with the C&C side. The RAT this time is not the CrimsonRAT and Python-based that the Transparent Tribe has always used. Through comparison, it is found that the C&C of different versions of the sample communication is different. Information encryption in the communication process uses the string ceta as the Rc4 decryption key. Ceta stands for a comprehensive economic and trade agreement and is a free trade agreement between Canada and the European Union. It is temporarily uncertain whether this word has a specific meaning.

The remote commands supported by this Trojan are as follows:

transparent tribe

In the conflict of cyber warfare between India and Pakistan, the APT groups of the two countries have been imitating each other, and the related sample attack patterns will affect the traceability of security personnel. In this attack, the Transparent Tribe imitated the attack pattern of the Rattlesnake group.

Conclusions

The situation in South Asia is turbulent, and countries in the relevant regions have a weak awareness of network security protection, which has led to the increasing rampant attacks organized by APT. The APT organizes attacks against specific countries and is not limited to political and military institutions. Recently, targeted attacks against the medical industry using the new crown vaccine hotspot have also begun to be active.

IOCs

07418351da0ab516ddcd71e5712e7cf5
14a2b8af48b6db92f047525d893eaeb8
156088a178cf475086e13a0bafb8c94e
73f3ce6af466f08c88ad50c465781c92
b4fe8d4cfd59231644a405618a0053a7
b6040f3f8c52c49e8c34c70c1bdf39fb
29c5131ffc549663eb2642057e43b02a42bf7226
124677d655b829892bfe73877ca2a2289bbf623cf404ae50f73f255866205adc