A highly prolific hacker group continues to conduct cyber-espionage campaigns aimed at military and diplomatic entities all over the world, according to a new report from Kaspersky Lab.
The group, known as Transparent Tribe, PROJECTM and MYTHIC LEOPARD has been active since at least 2013 and previously has been linked to cyber-espionage campaigns against the Indian government and military, although recently the Transparent Tribe APT has shifted its focus on entities in Afghanistan.
The researchers said that over the years the threat actor has constantly used certain tools and created new programs for specific campaigns. Typically, the infection chain involves malicious documents containing an embedded macro, which deploys the malware.
In their campaigns the group mainly uses a custom malware known as Crimson RAT, as well as other custom .NET malware and a Python-based RAT known as Peppy.
Over the past year, the hackers considerably upgraded their tools, adding a management console and a USB worming function to the Crimson RAT, and stepped up their activity starting massive infection campaigns and developing new tools.
The Crimson RAT consists of various components and is able to:
manage remote filesystems
upload or download files
perform audio surveillance using microphones
record video streams from webcam devices
steal files from removable media
execute arbitrary commands
steal passwords saved in browsers
spread across systems by infecting removable media
In the latest campaign the researchers observed a new addition to the Crimson RAT, namely a server-side component used to manage infected client machines as well as a new USBWorm component developed for stealing files from removable drives.
“Coming in two versions, it was compiled in 2017, 2018 and 2019, indicating that this software is still under development and the APT group is working on ways to improve it,” the researchers said.
USBWorm contains two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines. If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then inject a copy of the Trojan in the root drive directory. The directory attribute is then changed to "hidden" and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories.
“Transparent Tribe continues to show high activity against multiple targets. In the last twelve months, we observed a broad campaign against military and diplomatic targets, using extensive infrastructure to support their operations and continuous improvements in their arsenal. The group continue to invest in their main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We do not expect any slowdown from this group in the near future and we will continue to monitor their activities,” the researchers concluded.