Current cyber espionage campaign: Transparent Tribe targets military and government institutions worldwide. Germany is one of the worst affected countries.
Since January 2019, Kaspersky has been investigating an ongoing campaign by the APT group Transparent Tribe, which is spreading the Remote Access Trojan (RAT) Crimson. The attacks began with malicious Microsoft Office documents being sent to victims using spear phishing emails. Within a year, the researchers were able to identify more than 1.000 targets in almost 30 countries. The analysis of the Crimson Trojan also revealed new, previously unknown components, which suggests that its development process is not yet complete.
Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a group known for their massive espionage campaigns. Their activities can be traced back to 2013; Kaspersky has been monitoring the group since 2016.
APT group Transparent Tribe active since 2016
Transparent Tribe is known to infect devices via malicious documents with an embedded macro. It does this by using the custom malware .NET RAT - commonly known as the Crimson RAT. This is made up of various components that enable the attacker to carry out several activities on infected computers - from managing remote file systems and taking screenshots, through audio monitoring with microphone devices, recording video streams using webcams, to Theft of removable media information.
Development of new programs for campaigns
While the group's tactics and techniques have remained the same over the years, Kaspersky analyzes show that Transparent Tribe has nonetheless constantly developed new programs for certain campaigns. While investigating their activities last year, the experts discovered a .NET file that Kaspersky solutions recognized as Crimson RAT. However, closer examination revealed that it was something else - a new server-side Crimson RAT component used by the attackers to manage infected computers. It is available in two versions and was compiled in 2017, 2018 and 2019. This indicates that this software is still under development and the APT group is working on ways to optimize it.
With an updated list of the components used by Transparent Tribe, Kaspersky was able to understand the development of the group and observe how it intensified its activities, launched massive infection campaigns, developed new tools and increased its focus on Afghanistan.
Top 5 target countries: Germany is increasingly in its sights
In total, taking into account all the components discovered between June 2019 and June 2020, the Kaspersky researchers identified 1.093 targets in 27 countries. In addition to Afghanistan, Pakistan, India and Iran, Germany is also one of the worst affected countries.
"Our findings indicate that Transparent Tribe continues to engage in high levels of activity against multiple targets," commented Giampaolo Dedola, security researcher at Kaspersky. “During the past twelve months we have observed a very broad campaign against military and diplomatic targets. Extensive infrastructure was used to support operations and continuously improve its own technological arsenal. The group continues to invest in Crimson, its main RAT, to conduct intelligence activities and spy on sensitive targets. We do not expect any slowdown in this group's activity in the near future and will continue to monitor it."
Detailed information on Indicators of Compromise (IoC) related to this group, including file hashes and C2 servers, is available on the Kaspersky Threat Intelligence Portal.
More on this at SecureList from Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/