TransparentTribe is an Advanced Persistent Threat (APT) group with a large appetite for targeting Indian government organizations, military personnel, and defense contractors. The threat actor recently came into the spotlight and was seen levering the notorious Crimson RAT (Remote Access Trojan), among other sophisticated tools and tactics.
The threat actor’s modus operandi is as complex as its name — starting with gathering sensitive information, conducting cyber espionage, and compromising the security of its targets. They are adept at exploiting various platforms, from Windows to Android, often masquerading as legitimate government entities or organizations through fake websites and documents.
These deceptive maneuvers aim to deceive unsuspecting users into sharing credentials or unwittingly downloading malware onto their systems.
Decoding the New Threat Actor: TransparentTribe
According to the Cyble Vision Threat Library, TransparentTribe, also known as APT 36 or Project Mythic Leopard, has been active, with its last sighting dated April 1, 2023. Their activities extend beyond traditional cyber espionage, with recent investigations uncovering connections to watering hole sites focused on Indian military personnel.
Moreover, TransparentTribe’s reach spans across borders, with primary targets including India and Afghanistan, along with various other nations such as Australia, Japan, and the USA, among others. Their relentless pursuit of sensitive information knows no bounds, targeting sectors ranging from defense to education and governmental organizations.
Operating out of Pakistan, TransparentTribe poses a significant threat to national security, employing aliases like Green Havildar and APT-C-56. Suspected ties with other APT groups like SideCopy and SideWinder further underscore the complexity of the threat landscape.
The Mechanics of TransparentTribe Hacker Group
The lifecycle of TransparentTribe’s attacks involves multiple infection vectors, including phishing emails, malvertising, and social engineering. Their persistence is evident in the continuous monitoring of developments within targeted sectors, exploiting them as lures for their campaigns.
Windows, Linux, and Android systems alike fall prey to TransparentTribe’s tactics, with tailored approaches for each platform. Exploiting vulnerabilities like CVE-2012-0158 and CVE-2010-3333, they deliver their payloads, including a diverse range of RATs like Crimson RAT, DarkComet, and QuasarRAT, each with its specific capabilities and functionalities.
Their network activities are intricate, utilizing well-crafted phishing URLs and registering domains on servers associated with Hostinger ASN. Moreover, the overlap in command and control (C&C) infrastructure and the use of platforms like Google Drive for hosting malware further complicate detection and mitigation efforts.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
