Recent espionage campaign targetting government authorities of India , Afganistan and other Asian countries . As named as Transparent tribe originally in operation form 2013 also called as ProjectM
Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target.
The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent together with malicious Microsoft Office documents containing an embedded macro that deploys the group’s main payload, the Crimson Remote Access Trojan (RAT).
If a victim falls for the scheme and enables macros, the custom .NET Trojan launches and performs a variety of functions, including connecting to a command-and-control (C2) server for data exfiltration and remote malware updates, stealing files, capturing screenshots, and compromising microphones and webcams for audio and video surveillance.
Trojan is also able to steal files from removable media, key log, and harvest credentials stored in browsers.
The Trojan comes in two versions that have been compiled across 2017, 2018, and at the end of 2019, suggesting the malware is still in active development.
Transparent Tribe also makes use of other .NET malware and a Python-based Trojan called Peppy, but a new USB attack tool is of particular interest.
USBWorm is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines.
If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to “hidden” and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories.
“This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name,” .
Over 200 samples of Transparent Tribe Crimson components were detected between June 2019 and June 2020.”We don’t expect any slowdown from this group in the near future.”