The Transparent Tribe (also known as APT36 、C-Major and MYTHIC LEOPARD) is a cyber espionage Groupassociated with the Pakistani government. Active since 2013, the Groupmainly targets Indian military and government personnel. In 2019, they attacked many Afghan targets. But their goals seem to be more than that, and their malicious trails have also been found in about 30 countries.
Transparent Tribe often uses .NET to develop custom remote access Trojans and design new programs for specific activities. Usually, the attacker sends spear phishing emails containing MS Office documents, and the email attachments usually have malicious macros embedded in them. The final payload is usually CrimsonRAT. Among the tools of the Group, it is worth noting a new USB attack tool called USBWorm. It consists of a file stealing module for removable media and a worm infection module.
Attack process analysis
Harpoon mail delivery process
CrimsonRAT also known as SEEDOOR, Scarimson, transparent-tribe Group uses social engineering and spear phishing to target Indian military and defense entities with CrimsonRAT. The Group is a cyber espionage Group based in Pakistan that used malware called SeedDoor to target Indian military and government departments in its early days.
After analysis, RAT has the following functions:
|tbvrarthsa-procl||Get process name, process ID, process module version information|
|tbvrarthsa-getavs||Same as tbvrarthsa-procl|
|tbvrarthsa-thumb||Get the file name, creation time, file size of the specified file and save it as a GIF image|
|tbvrarthsa-putsrt||Check the current execution path of the program, if not satisfied, copy to the default path and execute|
|tbvrarthsa-filsz||Get the file name, file creation time, file size of the specified file|
|tbvrarthsa-rupth||Get the Trojan path|
|tbvrarthsa-dowf||Download and save the file|
|tbvrarthsa-endpo||Kill the process with the specified ID|
|tbvrarthsa-scrsz||Save the default screenshot size|
|tbvrarthsa-cscreen||Take a screenshot and return to the screenshot file of the specified size|
|tbvrarthsa-dirs||Return the name of each disk|
|tbvrarthsa-scren||Screen shot of the eradication flag|
|tbvrarthsa-cnls||Set screen capture and other switches|
|tbvrarthsa-udlt||Download the file and rename it to execute|
|tbvrarthsa-delt||Delete specified file|
|tbvrarthsa-afile||Upload the specified file name and file content|
|tbvrarthsa-listf||Find files in the specified path and return file information|
|tbvrarthsa-file||Upload the specified file name and file content|
|tbvrarthsa-info||Upload network card information, machine name, user name, IP, operating system name, Trojan horse version number, Trojan horse execution path|
|tbvrarthsa-runf||Execute the specified file|
|tbvrarthsa bottle||List all file names under the specified path|
|tbvrarthsa-fldr||List all folders under the specified path|
Part of the script is shown in the figure:
According to its function, it is easy to know that CrimsonRAT supports and plans to load expandable modules. After excavation, we found that his modules include keyloggers, USB worms, etc.
USBWorm of CrimsonRAT component
USBWorm replaced its own icon with a Windows folder style in an attempt to guide users to execute malicious software.
- The worm will detect whether the execution path is its built-in path, if not, copy itself to the specified path, remove the extension and start it with explore
KeyLogger of CrimsonRAT component
This component is a single-function keylogger
The first execution of KeyLogger will use’x’,’y’ to separate and decode the byte array hard-coded in the Trojan: