apt36

Usbworm – Transparent Tribe New Component Activity

Introduction

The Transparent Tribe (also known as APT36 、C-Major and MYTHIC LEOPARD) is a cyber espionage Groupassociated with the Pakistani government. Active since 2013, the Groupmainly targets Indian military and government personnel. In 2019, they attacked many Afghan targets. But their goals seem to be more than that, and their malicious trails have also been found in about 30 countries.

often uses .NET to develop custom remote access Trojans and design new programs for specific activities. Usually, the attacker sends spear emails containing MS Office documents, and the email attachments usually have malicious macros embedded in them. The final payload is usually CrimsonRAT. Among the tools of the Group, it is worth noting a new USB attack tool called USBWorm. It consists of a file stealing module for removable media and a worm infection module.

Attack process analysis

usbworm - transparent tribe new component activity

Harpoon mail delivery process

usbworm - transparent tribe new component activity

CrimsonRAT analysis

CrimsonRAT also known as SEEDOOR, Scarimson, transparent-tribe Group uses social engineering and spear to target Indian military and defense entities with CrimsonRAT. The Group is a cyber espionage Group based in Pakistan that used malware called SeedDoor to target Indian military and government departments in its early days.

Function summary

After analysis, RAT has the following functions:

Control codeuse
tbvrarthsa-proclGet process name, process ID, process module version information
tbvrarthsa-getavsSame as tbvrarthsa-procl
tbvrarthsa-thumbGet the file name, creation time, file size of the specified file and save it as a GIF image
tbvrarthsa-putsrtCheck the current execution path of the program, if not satisfied, copy to the default path and execute
tbvrarthsa-filszGet the file name, file creation time, file size of the specified file
tbvrarthsa-rupthGet the Trojan path
tbvrarthsa-dowfDownload and save the file
tbvrarthsa-endpoKill the process with the specified ID
tbvrarthsa-scrszSave the default screenshot size
tbvrarthsa-cscreenTake a screenshot and return to the screenshot file of the specified size
tbvrarthsa-dirsReturn the name of each disk
tbvrarthsa-stopsStop screenshot
tbvrarthsa-screnScreen shot of the eradication flag
tbvrarthsa-cnlsSet screen capture and other switches
tbvrarthsa-udltDownload the file and rename it to execute
tbvrarthsa-deltDelete specified file
tbvrarthsa-afileUpload the specified file name and file content
tbvrarthsa-listfFind files in the specified path and return file information
tbvrarthsa-fileUpload the specified file name and file content
tbvrarthsa-infoUpload network card information, machine name, user name, IP, operating system name, Trojan horse version number, Trojan horse execution path
tbvrarthsa-runfExecute the specified file
tbvrarthsa bottleList all file names under the specified path
tbvrarthsa-dowrdownload file
tbvrarthsa-fldrList all folders under the specified path

Part of the script is shown in the figure:

usbworm - transparent tribe new component activity

According to its function, it is easy to know that CrimsonRAT supports and plans to load expandable modules. After excavation, we found that his modules include keyloggers, USB worms, etc.

of CrimsonRAT component

replaced its own icon with a Windows folder style in an attempt to guide users to execute malicious software.

usbworm - transparent tribe new component activity

environmental test

  • The worm will detect whether the execution path is its built-in path, if not, copy itself to the specified path, remove the extension and start it with explore
usbworm - transparent tribe new component activity

KeyLogger of CrimsonRAT component

This component is a single-function keylogger

The first execution of KeyLogger will use’x’,’y’ to separate and decode the byte array hard-coded in the Trojan:

usbworm - transparent tribe new component activity

IOCs

173.249.14.119
142.234.201.80

5158C5C17862225A86C8A4F36F054AE2
1ED98F70F618097B06E6714269E2A76F
F219B1CDE498F0A02315F69587960A18
5B3B66CA4AC244CCAA9BCD465DB8E31B
6D5E033651AE6371B8C8A44B269101B2
075a74ba1d3a5a693ee5e3dd931e1b56
6da27200f473f8c55bb125f68314eecb2219c3dd
84e5ac62112ef379624975774aab30f9d4f8adbc
3fa14d5dc96c081227014af97a62894440e43487
1d069acd9f69a01a1001e3df37abb55981cf31ef
70a7cd7200c90f101c71951789dd6476f6d5ce55
B29691ac40b8bbb12b13e84641ad20583d1387ca356850aa7b5e76b0f6c76806
E4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132
D2cc95b72c3e72b3888e9fa35f6fe0563f9dbbd08b76d0c3546065ceca3c5961
9acf62d22e93d6ea68b8d04a174fcd0c4e53d0f14fe1e7fadfcef4dfcc57f480
4b5d179531cb4baf74b8e45102c89ffe3a237bf75e80498c7982576b6557c897