Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT
India’s burgeoning startup ecosystem, particularly those in cybersecurity and intelligence sectors, has become the latest target of the Pakistan-based hacking group known as Transparent Tribe, or APT36. Active since 2013, this group has shifted its focus from traditional government entities to infiltrating Indian startups using the sophisticated malware, Crimson RAT.
Discovery of the Campaign
The campaign came to light when researchers identified suspicious files uploaded from India, containing content related to startups. Unlike previous operations targeting defense organizations and educational institutions, this campaign zeroes in on individuals associated with startups that provide security services to law enforcement agencies. The attackers utilized personal information about a legitimate startup founder to craft convincing fake documents, enhancing the credibility of their malicious emails.
Infection Mechanism
Acronis researchers uncovered that Transparent Tribe delivers its malware through ISO container files sent via email. When recipients open what appears to be an Excel spreadsheet, they inadvertently trigger a sequence of hidden commands that install Crimson RAT on their systems. This remote access trojan enables the attackers to monitor screens, record audio, steal files, and control infected systems without the victim’s knowledge.
Detailed Attack Execution
The infection process initiates when victims receive an email containing a file named MeetBisht.iso. Within this container is a shortcut file disguised as an Excel document, accompanied by a hidden folder containing three components:
1. A decoy document to distract the victim.
2. A batch script that manages execution.
3. The actual Crimson RAT payload, masquerading as an Excel executable.
Upon activation, the malicious shortcut launches a batch script that simultaneously displays a fake Excel file while covertly copying the malware to the computer’s system folders. The script employs PowerShell commands to suppress security warnings that would typically alert users to suspicious files. It then creates a hard-linked executable with a random name in the user’s application data folder and executes the malware from this trusted location.
Evasion Techniques
The Crimson RAT payload incorporates advanced evasion tactics. The malware file is artificially inflated to 34 megabytes through embedded junk data, while the actual malicious code measures only 80 to 150 kilobytes. This bloating technique aids in bypassing signature-based detection systems. Additionally, the malware uses completely randomized function names throughout its code, complicating analysis. It communicates with command-and-control servers using custom TCP protocols on non-standard ports, including 18661, 20856, 26868, 29261, and 36628.
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should implement the following measures:
– Email Filtering: Block ISO and container-based attachments from unknown sources to prevent the initial delivery of malicious payloads.
– Security Awareness Training: Educate employees to recognize social engineering tactics, such as phishing emails, to reduce the likelihood of successful attacks.
– Endpoint Detection Solutions: Deploy tools capable of identifying suspicious PowerShell activity and unauthorized file modifications, which are indicative of malware execution.
By adopting these strategies, startups can enhance their resilience against the evolving threats posed by groups like Transparent Tribe.
