Pakistani ties Transparent Tribe The attackers have been found to be responsible for a series of new attacks targeting the Indian government, defense and aerospace sectors using cross-platform malware written in Python, Golang and Rust.
“This series of activity is expected to continue into the second half of 2023 and into April 2024,” BlackBerry's research and intelligence team said in a technical report published earlier this week.
The spear-phishing attack is also notable for its misuse of popular online services such as Discord, Google Drive, Slack and Telegram, highlighting once again the threat actors' adoption of legitimate programs in their attack flows.
According to BlackBerry, targets in the email attack included three companies that are key stakeholders and customers of the Defence Department of Production (DDP). All three targeted companies are headquartered in the Indian city of Bengaluru.
While the companies were not named, the email messages appear to have targeted Hindustan Aeronautics Limited (HAL), one of the world's largest aerospace and defence companies, Bharat Electronics Limited (BEL), a state-run aerospace and defence electronics company, and BEML Limited, a public sector enterprise that manufactures earth-moving equipment.
Transparent Tribe is also tracked by the larger cybersecurity community under the names APT36, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.
The hostile group is believed to have been active since at least 2013 and has a track record of cyber espionage operations against government, military and educational institutions in India, as well as highly targeted mobile spyware attacks against victims in Pakistan, Afghanistan, Iraq, Iran and the United Arab Emirates.
Additionally, the group is known to experiment with new methods of intrusion, having tried a variety of malware over the years and repeatedly iterating on its tactics and toolkits to evade detection.
Notable malware families used by Transparent Tribe include CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango and Tangelo, the last two of which are associated with a group of freelance developers based in Lahore.
Mobile security company Lookout noted in 2018 that these developers were “available for hire” and that “at least one government employee works as a mobile app developer on the side.”
The attack chains launched by this group include the use of spear-phishing emails using malicious links and ZIP archives to deliver payloads, with a particular focus on distributing ELF binaries given the Indian government's heavy reliance on Linux-based operating systems.
The infection resulted in the deployment of three different versions of GLOBSHELL, a Python-based intelligence gathering utility previously documented by Zscaler in connection with attacks targeting Linux environments within Indian government organizations, as well as PYSHELLFOX to exfiltrate data from Mozilla Firefox.
BlackBerry said it also discovered a bash script version and a Python-based Windows binary being served from the threat actor-controlled domain “apsdelhicantt.”[.]in” –
- swift_script.shthe bash version of GLOBSHELL
- Silver LiningSliver is an open source command and control (C2) framework
- swift_uzb.shA script to collect files from a connected USB drive
- AFDF.exe isan intermediate executable that downloads win_hta.exe and win_service.exe
- win_hta.exe and win_service.exetwo Windows versions of GLOBSHELL
In a sign of Transparent Tribe's tactical evolution, a phishing campaign orchestrated in October 2023 was observed leveraging ISO images to deploy a Python-based remote access trojan that uses Telegram for C2 purposes.
It's worth noting that the use of ISO lures targeting Indian government entities is a technique that has been observed since earlier this year as part of two possibly related sets of intrusions. A Canadian cybersecurity firm said the modus operandi “bears hallmarks of the Transparent Tribe attack chain.”
Further analysis of the infrastructure also uncovered an “all-in-one” program compiled in Golang with the ability to find and exfiltrate files with common file extensions, take screenshots, upload and download files, and execute commands.
The spy tool is a modified version of the open source project Discord-C2, receiving instructions from Discord and delivered via an ELF binary downloader packed inside a ZIP archive.
“Transparent Tribe has relentlessly targeted sectors critical to India's national security,” BlackBerry said. “The threat actor continues to utilize a core set of tactics, techniques and procedures (TTPs) that it has adapted over time.”
