A hacker group, known by the cybersecurity community to be backed by Pakistani entities, is now targeting Indian educational institutions and students in a new cyber-espionage campaign, latest research has revealed.
The development has been confirmed by two leading cyber-security research companies, K7 and Cisco Talos, in separate research reports released over the last three months.
The hacker group, known as ‘Transparent Tribe’, is classified as an advanced persistent threat (APT) group and is also known by other aliases like APT36 and Mythic Leopard.
Multiple reports over the years have confirmed that the group focusses almost exclusively on India, with particular emphasis on high-value targets like defence and other government sectors.
Transperent Tribe's modus operandi
According to both Cisco Talos and K7, Transparent Tribe has been circulating an MS Word document, created in the name of a leading technology institute in India.
The first page of the document has the institute’s letterhead, while the next page has a series of questions as part of a purported survey. As soon as the document is opened by the target, it asks them to ‘enable content’, a common occurrence with MS Word files opened on any system for the first time.
Since the target has been fooled into thinking that the document is legitimate and safe, they click the ‘enable content’ option. As a result, the malware hidden in the document’s code extracts itself and silently makes a home inside the target’s device.
What do the reports say?
K7’s initial analysis, published in May this year, was based on a tweet by a threat intelligence researcher, who goes by the name Jazi on Twitter. Jazi seems to have been the first to find a sample of the malicious document and also identified its Command and Control (C2) server.
A C2 server is the server that controls a malware and receives all the data stolen by it. Cheekily enough, the C2 server in this case is named ‘sunnyleone’.
A second, more detailed analysis of the campaign by Cisco Talos, the findings of which were made public earlier this week, confirmed K7’s earlier suspicion that Transparent Tribe was using CrimsonRAT malware to infect the target devices.
A RAT or a Remote Access Trojan is malware that slips into a system disguised as something else and then grants remote access to the device to its C2 server.
The latest version of CrimsonRAT can capture keystrokes on the target device, steal image files, take screenshots of the current screen, and run arbitrary commands on the system.
Cisco Talos has also traced the domain from which phishing emails containing the malicious document were sent, and confirmed that it is hosted by a domain hosting service in Pakistan.
“Typically, this APT group focuses on targeting government (government employees, military personnel) and pseudo-government entities (think tanks, conferences, etc.) using remote access Trojans (RATs) such as CrimsonRAT and ObliqueRAT. However, in this new campaign dating back to December 2021, the adversary is targeting students of universities and colleges in India. This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users,” Cisco Talos stated in its research report.