TransparentTribe’s Spear-Phishing Targeting Indian Government Departments

TransparentTribe’s Spear-Phishing Targeting Indian Government Departments

julho 24, 2024 | NSFOCUS

Overview

Leveraging our global threat hunting system, NSFOCUS Security Research Labs discovered spear-phishing email attacks by the APT group TransparentTribe targeting Indian government departments on February 2, 2024. The timing of these attacks coincides with the presidential election in India, scheduled for April-May of this year, and the bait documents are related to the “President’s Award,” suggesting a possible connection with the election.

In this incident, the TransparentTribe group utilized a phishing document named “Recommendation for the award of President’s.docm.” The malicious file was concealed within this document and, upon execution, would run the embedded VBA script to extract and execute the malicious program within the file. The ultimate payload used in this attack was the CrimsonRAT remote control program, a common Trojan used by the TransparentTribe attack group. This RAT is capable of collecting system information, downloading and running files, and stealing sensitive information, posing a significant threat.

Introduction of TransparentTribe

TransparentTribe, also known as ProjectM or APT 36, is an APT attack group originating from Pakistan. It primarily targets India, Kazakhstan, and Afghanistan. The group’s main objectives are defense, military, embassies, and governments. Their activities date back to as early as 2012. Recently, they have been using phishing emails to deliver malicious docm and xlam documents, utilizing VBA scripts in the documents to release malicious programs, with the aim of stealing user information.

Bait Information

In this incident, the bait document used by TransparentTribe was named “Recommendation for the award of President’s.docm.” The document’s content pertains to a document sent by the “Government of India Ministry of Home Affairs, Police-I Division” to various Indian government departments. The document impersonates an official document issued by the Indian government on October 17, 2023, mainly discussing recommendations for the award of the President’s Distinguished Service Medal and the Meritorious Service Medal on Republic Day 2024. This confirms that the target of this attack is Indian government departments.

Figure 1:  The bait document executed after the phishing email

In November 2023, a historical phishing email appeared, also using a bait document containing malicious VBA scripts. The document was named “Monthly Report MAP.xlam.” Upon execution, it prompts to enable macros, and if the user clicks to enable, the VBA script will execute, leading to subsequent malicious operations; it also pops up a normal Excel file to cover up the malicious operations.

Figure 2:  The bait document executed after the phishing email (1)

Figure 3:  The bait document executed after the phishing email (2)

Figure 4:  The bait document executed after the phishing email (3)

It can be seen that this APT group has recently favored impersonating official documents issued by government departments when constructing bait content, using highly targeted content such as government documents and forms. This narrows the scope of the attack, targeting specific targets.

Technical Analysis

Different from the group’s previous method of using a downloader to execute remote links to obtain subsequent programs, we have observed that the group’s recent activities prefer to hide the ultimate payload within the bait document.

The phishing file in this instance is named “Recommendation for the award of President’s.docm.”

The attack process executed after opening this phishing file is as follows:

1. Execute the malicious VBA script;

2. The script will decompress the current file and store the file in the download directory;

3. The script decompresses the document, extracting the word\media\image1.png file;

4. The script changes the extension of image1.png to .zip, decompresses it, and extracts the image1.exe file;

5. The script renames image1.exe to itmvroidovs.scr and runs it, which is the ultimate payload CrimsonRAT;

6. The script changes the extension of word\media\image2.png to .docx and runs it, using it as a decoy to confuse the attacked user.

 Figure 5:  The “Recommendation for the award of President’s.docm” file executing the malicious VBA script

CrimsonRAT Analysis

CrimsonRAT is the main Trojan program used by TransparentTribe, with primary functions such as obtaining system information, capturing screenshots, collecting victim host processes, and driver information. It also supports downloading, running files, and stealing sensitive information.

Combining the bait creation time with the official report release time, the timestamp is likely to be genuine, indicating that this incident is a recent attack launched by TransparentTribe.

 Figure 6:  The author and creation time of the bait document

Figure 7:  The timestamp of the final payload Trojan

 

In this attack incident, the CrimsonRAT Trojan program used has a timestamp of December 16, 2023, which is not much different from the version on October 12, 2023. The main change is the modification of the obfuscation character “_” in the string to evade detection.

Figure 8:  Partial string obfuscation changes, the right side is the new version

 

TransparentTribe used a version of CrimsonRAT with the version number “S.F.0.3” in November 2023, but in this activity, the CrimsonRAT has increased the version number obfuscation, confusing the version number into “A._E.0._6”, using this method to evade detection:

 Figure 9:  CrimsonRAT version number, the right side is the new version.

The version found on October 12 is somewhat different from the previously found versions, adding obfuscation strings “_” to a large number of key strings, and all the versions found recently have been done through this string obfuscation method:

 Figure 10:  Comparison of the October 2023 version with earlier versions

Attribution of Attackers

NSFOCUS Security Research Labs found the following attribution items in this APT incident:

  • The malicious sample used by the attacker is CrimsonRAT, which is one of the Trojans commonly used by TransparentTribe;
  • The attack process and VBA script used by the attacker in this incident are consistent with the attack chain characteristics and coding habits of TransparentTribe in recent attacks;
  • The phishing document captured in this incident was uploaded from India, which is consistent with the common attack targets of TransparentTribe;

Therefore, NSFOCUS Security Research Labs attributes the attackers of this attack incident to the TransparentTribe group.

IOC

IOCNote
c2b37effe3195665ec5597afa329fRecommendation for the award of President’s.docm
f5380e7a6e15a0ef27e6f31fcc29ed4ditmvroidovs.exe
41d801d96c9e27c5ca6c4678ffa2d7e2Monthly Report MAP.xlam
mus09.duckdns.orgC2
64.188.21.202:6826C2
64.188.21.202:18828C2
64.188.21.202:22821C2
64.188.21.202:28120C2
164.68.122.64:11128C2
164.68.122.64:18187C2
164.68.122.64:19986C2
164.68.122.64:27684C2
164.68.122.64:25123C2

Related blog post:

Indian Government Agencies Targeted in Phishing Attacks by APT Group SideCopy

About NSFOCUS Security Research Labs

NSFOCUS Security Research Labs is an internationally recognized cybersecurity research and threat response center at the front of vulnerability assessment, threat hunting and mitigation research.