APT Group Targeting Military Refines Its TacticsKaspersky: 'Transparent Tribe' Using Trojan That Now Targets Removable Devices
"Transparent Tribe," a hacking group that targets military and diplomatic organizations, has updated its Crimson remote access Trojan to enable the malware to steal data from removable devices and then use these devices to spread to other systems, according to new research from Kaspersky.
This advanced persistent threat group, which has been active since at least 2013, is also referred to as ProjectM and Mythic Leopard, according to a previous report by security firm Proofpoint. Known for large-scale cyberespionage campaigns, the APT group has recently taken a greater interest in India and Afghanistan, according to Kaspersky.
Over the last year, Kaspersky has observed the hacking group sending out thousands of phishing emails to targets around the world in an attempt to install the Crimson malware on various devices.
Crimson, a remote access Trojan written in the .NET programming language, was sent to nearly 1,100 targets in 27 countries between June 2019 and June 2020, the report finds. Afghanistan, Pakistan, India, Iran and Germany were most frequently targeted.
"During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal,” Giampaolo Dedola, security researcher with Kaspersky, explains in the report. “The group continues to invest in its main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We don't expect any slowdown from this group in the near future."
Attacks Start With Phishing
The Kaspersky report finds that Transparent Tribe continues to target victims through spear-phishing emails that contain a malicious document. If a user clicks on a document, macros are enabled that eventually download the Crimson RAT to the compromised device, according to the report.
"Their favorite infection vector is malicious documents with an embedded macro, which seem to be generated with a custom builder," Dedola notes.
Once installed, the Crimson malware connects to a command-and-control server and performs various functions, such as managing remote file systems, uploading or downloading files, capturing screenshots and recording video streams from webcam devices, the research report says..
Several new features that have been added to Crimson to expand the Trojan's capabilities to make it more effective, Dedola says.
For example, a new server-side management interface appears to help the attackers manage the devices and other components under their control within a compromised network. The interface then gives an overview of how the cyber operation is progressing.
"At the top, there is a toolbar that can be used for managing the server or starting some actions on the selected bot," Dedola notes. "At the bottom, there is an output console with a list of actions performed by the server in the background. It will display, for example, information about received and sent commands."
The interface also contains numerous "tabs" to show how each component of the malware is operating. It also deploys what the Kaspersky report calls a "thin client" - a miniature version of the main RAT that can perform various functions, such as taking screenshots and uploading files.
In addition to the interface, Kaspersky found another module in the RAT dubbed "USB Worm," which allows the attackers to steal data from removable media, such as USB drives.
This module enables the malware to spread through other parts of the network through these removable devices. For example, if an infected USB drive is plugged into another device, the malware will then download the thin client version of the RAT to the new device from a remote server.
The module disguises itself as an icon in the Windows directory, making it more likely a user will click on the malware and install it once the USB is plugged into a new device.
"This simple trick works very well on default Microsoft Windows installations, where file extensions are hidden and hidden files are not visible," according to the Kaspersky report.