1. Home
  2. Campaigns
  3. C0011

C0011

C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.[1]

ID: C0011
First Seen:  December 2021 [1]
Last Seen:  July 2022 [1]
Version: 1.0
Created: 22 September 2022
Last Modified: 22 September 2022
Version Permalink

Groups

ID Name Description
G0134 Transparent Tribe

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.[1]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.[1]
Enterprise T1587 .003 Develop Capabilities: Digital Certificates

For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.[1]

.002 Phishing: Spearphishing Link

During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.[1]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.[1]

Enterprise T1204 .001 User Execution: Malicious Link

During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.[1]
.002 User Execution: Malicious File

During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.[1]

Software

ID Name Description
S0115 Crimson

For C0011, Transparent Tribe used an updated version of Crimson.[1]

References

  1. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.