The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021.
“This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users,” Cisco Talos said in a report shared with The Hacker News.
Also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, the Transparent Tribe actor is suspected to be of Pakistani origin and is known to strike government entities and think tanks in India and Afghanistan with custom malware such as CrimsonRAT, ObliqueRAT, and CapraRAT.
But the targeting of educational institutions and students, first observed by India-based K7 Labs in May 2022, indicates a deviation from the adversary’s typical focus.
“The latest targeting of the educational sector may align with the strategic goals of espionage of the nation-state,” Cisco Talos researchers told The Hacker News. “APTs will frequently target individuals at universities and technical research organizations in order to establish long term access to siphon off data related to ongoing research projects.”
Attack chains documented by the cybersecurity firm involve delivering a maldoc to the targets either as an attachment or a link to a remote location via a spear-phishing email, ultimately leading to the deployment of CrimsonRAT.
“This APT puts in a substantial effort towards social engineering their victims into infecting themselves,” the researchers said. “Transparent Tribes’ email lures try to appear as legitimate as possible with pertinent content to convince the targets into opening the maldocs or visiting the malicious links provided.”
CrimsonRAT, also known as SEEDOOR and Scarimson, functions as the staple implant of choice for the threat actor to establish long-term access into victim networks as well as exfiltrate data of interest to a remote server.
Courtesy of its modular architecture, the malware allows the attackers to remotely control the infected machine, steal browser credentials, record keystrokes, capture screenshots, and execute arbitrary commands.
What’s more, a number of these decoy documents are said to be hosted on education-themed domains (e.g., “studentsportal[.]co”) that were registered as early as June 2021, with the infrastructure operated by a Pakistani web hosting services provider named Zain Hosting.
“The entire scope of Zain Hosting’s role in the Transparent Tribe organization is still unknown,” the researchers noted. “This is likely one of many third-parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation.”