Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]

ID: G0134
Associated Groups: COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.2
Created: 02 September 2021
Last Modified: 10 April 2024

Associated Group Descriptions

Name Description
COPPER FIELDSTONE

[4]

APT36

[3]

Mythic Leopard

[5][2][3]

ProjectM

[6][2]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.[1][3]

For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.[7]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Transparent Tribe has crafted VBS-based malicious documents.[1][2]

For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.[7]

Enterprise T1584 .001 Compromise Infrastructure: Domains

Transparent Tribe has compromised domains for use in targeted malicious campaigns.[1]

Enterprise T1587 .003 Develop Capabilities: Digital Certificates

For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.[7]

Enterprise T1189 Drive-by Compromise

Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[1][6][3]

Enterprise T1568 Dynamic Resolution

Transparent Tribe has used dynamic DNS services to set up C2.[1]

Enterprise T1203 Exploitation for Client Execution

Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[2]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Transparent Tribe has dropped encoded executables on compromised hosts.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.[1][2][8][3][6]

During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.[7]

.002 Phishing: Spearphishing Link

Transparent Tribe has embedded links to malicious downloads in e-mails.[8][3]

During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.[7]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.[7]

.004 Stage Capabilities: Drive-by Target

Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[1][6][3]

Enterprise T1204 .001 User Execution: Malicious Link

Transparent Tribe has directed users to open URLs hosting malicious content.[8][3]

During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.[7]

.002 User Execution: Malicious File

Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.[1][2][8][3][6]

During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.[7]

Software

ID Name References Techniques
S0115 Crimson [1][7] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data from Removable Media, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Non-Application Layer Protocol, Peripheral Device Discovery, Process Discovery, Query Registry, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Video Capture, Virtualization/Sandbox Evasion: Time Based Evasion
S0334 DarkComet [6] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0644 ObliqueRAT [8][7] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Data Staged: Local Data Staging, Data Transfer Size Limits, File and Directory Discovery, Obfuscated Files or Information: Steganography, Peripheral Device Discovery, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery, User Execution: Malicious Link, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0643 Peppy [6] Application Layer Protocol: Web Protocols, Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Screen Capture

References