The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in intrusions directed against the Indian education sector to deploy a continuously maintained piece of malware called Crimson RAT.
While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education vertical.
The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active as far back as 2013. Educational institutions have been at the receiving end of the adversary’s attacks since late 2021.
The malware has the functionality to exfiltrate files and system data to an actor-controlled server. It’s also built with the ability to capture screenshots, terminate running processes, and download and execute additional payloads to log keystrokes and steal browser credentials.
Last month, ESET attributed Transparent Tribe to a cyber espionage campaign aimed at infecting Indian and Pakistani Android users with a backdoor called CapraRAT.
An analysis of Crimson RAT samples has revealed the presence of the word “Wibemax,” corroborating a previous report from Fortinet. While the name matches that of a Pakistani software development company, it’s not immediately clear if it shares any direct connection to the threat actor.
That said, it bears noting that Transparent Tribe has in the past leveraged infrastructure operated by a web hosting provider called Zain Hosting in attacks targeting the Indian education sector.
The documents analyzed by SentinelOne feature education-themed content and names like assignment or Assignment-no-10, and make use of malicious macro code to launch the Crimson RAT. Another method concerns the use of OLE embedding to stage the malware.
“Malicious documents that implement this technique require users to double-click a document element,” Milenkoski explained. “These documents distributed by Transparent Tribe typically display an image (a ‘View Document’ graphic) indicating that the document content is locked.”
This, in turn, tricks users into double-clicking the graphic to view the content, thereby activating an OLE package that stores and executes the Crimson RAT masquerading as an update process.
Crimson RAT variants have also been observed to delay their execution for a specific time period spanning anywhere between a minute and four minutes, not to mention implement different obfuscation techniques using tools like Crypto Obfuscator and Eazfuscator.
“Transparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal, operational playbook, and target,” Milenkoski said. “Transparent Tribe’s constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group.”