Background and Evolution of Transparent Tribe
Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly active group with activities dating back to 2013. This group has consistently targeted Indian military and government personnel, with a focus on espionage. Their tactics, techniques, and procedures (TTPs) have remained consistent over the years, primarily using malicious documents with embedded macros as their favorite infection vector.
The Crimson RAT
The main malware used by Transparent Tribe is a custom .NET Remote Access Trojan (RAT) publicly known as Crimson RAT. This malware has evolved over the years, with the group also employing other custom .NET malware and a Python-based RAT known as Peppy. Crimson RAT is a sophisticated tool used for espionage, capable of managing remote file systems, uploading or downloading files, taking screenshots, conducting audio surveillance, operating surveillance cameras, stealing files, recording keyboard inputs, and stealing browser passwords.
Crimson Server and Its Components
Crimson Server is the command and control (C2) component used by Transparent Tribe for managing infected machines. This server-side implant helps in understanding the attacker’s perspective and confirms observations on Crimson RAT. The server is composed of various components, enabling the attacker to perform multiple activities on infected machines. These include managing remote filesystems, capturing screenshots, performing audio surveillance, recording video streams from webcam devices, stealing files from removable media, executing arbitrary commands, recording keystrokes, and stealing passwords saved in browsers.
Evolution and Campaigns
Transparent Tribe has undergone significant evolution, increasing its activities, starting massive infection campaigns, developing new tools, and focusing on Afghanistan. The group has been spreading Crimson RAT, infecting a large number of victims in multiple countries, mainly India and Afghanistan.
The USBWorm component is a significant part of Transparent Tribe’s arsenal. This malware was speculated about years ago but had never been publicly described until recent investigations. USBWorm is used for stealing files from removable drives, spreading across systems by infecting removable media, and downloading and executing the Crimson RAT components.
Distribution and Impact
Transparent Tribe’s activities have resulted in a broad campaign against military and diplomatic targets, using extensive infrastructure to support their operations and continuous improvements in their arsenal. The group has maintained a strong focus on Afghanistan and India, with detections in other countries possibly related to entities connected to the main targets.
Transparent Tribe continues to show high activity against multiple targets, investing in their main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. The group’s activities are expected to continue without any slowdown, and they remain a significant threat in the cyber espionage landscape.