1. Home
  2. Groups
  3. Transparent Tribe

Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]

ID: G0134
Associated Groups: COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.2
Created: 02 September 2021
Last Modified: 10 April 2024
Version Permalink

Associated Group Descriptions

Name Description
COPPER FIELDSTONE

[4]
APT36

[3]
Mythic Leopard

[5][2][3]
ProjectM

[6][2]

Campaigns

ID Name First Seen Last Seen References Techniques
C0011 C0011 December 2021 [7] July 2022 [7]

[7]

 Acquire Infrastructure: Domains, Command and Scripting Interpreter: Visual Basic, Develop Capabilities: Digital Certificates, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Stage Capabilities: Upload Malware, User Execution: Malicious Link, User Execution: Malicious File
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.[1][3]

For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.[7]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Transparent Tribe has crafted VBS-based malicious documents.[1][2]

For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.[7]
Enterprise T1584 .001 Compromise Infrastructure: Domains

Transparent Tribe has compromised domains for use in targeted malicious campaigns.[1]
Enterprise T1587 .003 Develop Capabilities: Digital Certificates

For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.[7]
Enterprise T1189 Drive-by Compromise

Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[1][6][3]
Enterprise T1568 Dynamic Resolution

Transparent Tribe has used dynamic DNS services to set up C2.[1]
Enterprise T1203 Exploitation for Client Execution

Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.[1]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[2]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Transparent Tribe has dropped encoded executables on compromised hosts.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.[1][2][8][3][6]

During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.[7]

.002 Phishing: Spearphishing Link

Transparent Tribe has embedded links to malicious downloads in e-mails.[8][3]

During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.[7]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.[7]

.004 Stage Capabilities: Drive-by Target

Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[1][6][3]
Enterprise T1204 .001 User Execution: Malicious Link

Transparent Tribe has directed users to open URLs hosting malicious content.[8][3]

During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.[7]
.002 User Execution: Malicious File

Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.[1][2][8][3][6]

During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.[7]

Software

ID Name References Techniques
S0115 Crimson [1][7] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data from Removable Media, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Non-Application Layer Protocol, Peripheral Device Discovery, Process Discovery, Query Registry, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Video Capture, Virtualization/Sandbox Evasion: Time Based Evasion
S0334 DarkComet [6] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0644 ObliqueRAT [8][7] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Data Staged: Local Data Staging, Data Transfer Size Limits, File and Directory Discovery, Obfuscated Files or Information: Steganography, Peripheral Device Discovery, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery, User Execution: Malicious Link, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0643 Peppy [6] Application Layer Protocol: Web Protocols, Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Screen Capture

References

  1. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  2. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  3. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  4. Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021.
  1. Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021.
  2. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
  3. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  4. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.