Rsearchers have monitored the use of information related to the epidemic by the Transparent Tribe group to conduct targeted attacks on the Indian medical industry to steal intelligence.
Transparent Tribe (transparent tribe) alias APT36, ProjectM, C-Major, is an APT group with a South Asian background. It has been found that USB worms spread widely.
The transparent tribe’s activities in the second half of 2019 have been targeted at Afghanistan, and in 2020, it will again be targeted at India. Around January 2020, it launched attacks on Indian targets with job recruitment and military themes. 2020-03 Around the month, a new round of cyber attacks was launched against targets in India and Afghanistan with related information such as electronics, national defense, security, and resumes.
Since the outbreak of the new crown virus, a large number of APT groups have used information related to the epidemic to conduct targeted attacks. This group is no exception. Around April 2020, the group launched targeted attacks on targets in India with malicious documents about the epidemic. At the same time, the Transparent Tribe also launched a large-scale USB virus infection attack, and related tools have enhanced its attack operations in Afghanistan. Its undisclosed usbworm components have also been confirmed for the first time.
The decoy document involved in this attack is in the form of a ZIP package, which contains a shortcut disguised as a PDF. After the attacker persuades the target to click the lnk shortcut file, the lnk file will call mshta.exe to load the hta hidden in the remote web page. script. The webpage where the hta malicious code is implanted is shown in the following figure:
The Hta file will decode and execute the internally stored base64-encoded string. The malicious code calls net serialization to load the DraftingPad module, and calls the PinkAgain function to release the file to the specified folder. At the same time, the wmi service is called to obtain a list of names of antivirus software installed inside the machine, and then different RATs are released according to the list. Finally, open the file stored in Google Docs and show it to the user, confuse the user to open the real document, and reduce the user’s vigilance. The following picture shows the COVID document displayed. The relevant document subject is a PDF document forged by the attacker with the help of the recent hot spot of the new crown vaccine.
The exe released at the end of the attack is a backdoor RAT Trojan that can communicate with the C&C side. The RAT this time is not the CrimsonRAT and Python-based PeppyRAT that the Transparent Tribe has always used. Through comparison, it is found that the C&C of different versions of the sample communication is different. Information encryption in the communication process uses the string ceta as the Rc4 decryption key. Ceta stands for a comprehensive economic and trade agreement and is a free trade agreement between Canada and the European Union. It is temporarily uncertain whether this word has a specific meaning.
The remote commands supported by this RAT Trojan are as follows:
In the conflict of cyber warfare between India and Pakistan, the APT groups of the two countries have been imitating each other, and the related sample attack patterns will affect the traceability of security personnel. In this attack, the Transparent Tribe imitated the attack pattern of the Rattlesnake group.
The situation in South Asia is turbulent, and countries in the relevant regions have a weak awareness of network security protection, which has led to the increasing rampant attacks organized by APT. The APT organizes attacks against specific countries and is not limited to political and military institutions. Recently, targeted attacks against the medical industry using the new crown vaccine hotspot have also begun to be active.