Usbworm – Transparent Tribe New Component Activity


The Transparent Tribe (also known as APT36 、C-Major and MYTHIC LEOPARD) is a cyber espionage Groupassociated with the Pakistani government. Active since 2013, the Groupmainly targets Indian military and government personnel. In 2019, they attacked many Afghan targets. But their goals seem to be more than that, and their malicious trails have also been found in about 30 countries.

often uses .NET to develop custom remote access Trojans and design new programs for specific activities. Usually, the attacker sends spear emails containing MS Office documents, and the email attachments usually have malicious macros embedded in them. The final payload is usually CrimsonRAT. Among the tools of the Group, it is worth noting a new USB attack tool called USBWorm. It consists of a file stealing module for removable media and a worm infection module.

Attack process analysis

usbworm - transparent tribe new component activity

Harpoon mail delivery process

usbworm - transparent tribe new component activity

CrimsonRAT analysis

CrimsonRAT also known as SEEDOOR, Scarimson, transparent-tribe Group uses social engineering and spear to target Indian military and defense entities with CrimsonRAT. The Group is a cyber espionage Group based in Pakistan that used malware called SeedDoor to target Indian military and government departments in its early days.

Function summary

After analysis, RAT has the following functions:

Control codeuse
tbvrarthsa-proclGet process name, process ID, process module version information
tbvrarthsa-getavsSame as tbvrarthsa-procl
tbvrarthsa-thumbGet the file name, creation time, file size of the specified file and save it as a GIF image
tbvrarthsa-putsrtCheck the current execution path of the program, if not satisfied, copy to the default path and execute
tbvrarthsa-filszGet the file name, file creation time, file size of the specified file
tbvrarthsa-rupthGet the Trojan path
tbvrarthsa-dowfDownload and save the file
tbvrarthsa-endpoKill the process with the specified ID
tbvrarthsa-scrszSave the default screenshot size
tbvrarthsa-cscreenTake a screenshot and return to the screenshot file of the specified size
tbvrarthsa-dirsReturn the name of each disk
tbvrarthsa-stopsStop screenshot
tbvrarthsa-screnScreen shot of the eradication flag
tbvrarthsa-cnlsSet screen capture and other switches
tbvrarthsa-udltDownload the file and rename it to execute
tbvrarthsa-deltDelete specified file
tbvrarthsa-afileUpload the specified file name and file content
tbvrarthsa-listfFind files in the specified path and return file information
tbvrarthsa-fileUpload the specified file name and file content
tbvrarthsa-infoUpload network card information, machine name, user name, IP, operating system name, Trojan horse version number, Trojan horse execution path
tbvrarthsa-runfExecute the specified file
tbvrarthsa bottleList all file names under the specified path
tbvrarthsa-dowrdownload file
tbvrarthsa-fldrList all folders under the specified path

Part of the script is shown in the figure:

usbworm - transparent tribe new component activity

According to its function, it is easy to know that CrimsonRAT supports and plans to load expandable modules. After excavation, we found that his modules include keyloggers, USB worms, etc.

of CrimsonRAT component

replaced its own icon with a Windows folder style in an attempt to guide users to execute malicious software.

usbworm - transparent tribe new component activity

environmental test

  • The worm will detect whether the execution path is its built-in path, if not, copy itself to the specified path, remove the extension and start it with explore
usbworm - transparent tribe new component activity

KeyLogger of CrimsonRAT component

This component is a single-function keylogger

The first execution of KeyLogger will use’x’,’y’ to separate and decode the byte array hard-coded in the Trojan:

usbworm - transparent tribe new component activity