{"id":29861,"date":"2024-07-24T03:36:02","date_gmt":"2024-07-24T03:36:02","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=29861"},"modified":"2026-04-17T18:07:37","modified_gmt":"2026-04-17T18:07:37","slug":"transparenttribes-spear-phishing-targeting-indian-government-departments","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/transparenttribes-spear-phishing-targeting-indian-government-departments\/","title":{"rendered":"TransparentTribe’s Spear-Phishing Targeting Indian Government Departments"},"content":{"rendered":"\n

<\/p>\n\n\n\n\n\n

Overview<\/h2>\n\n\n\n

Leveraging our global threat hunting system, NSFOCUS Security Research Labs<\/a> discovered spear-phishing email attacks by the APT group TransparentTribe targeting Indian government departments on February 2, 2024. The timing of these attacks coincides with the presidential election in India, scheduled for April-May of this year, and the bait documents are related to the “President’s Award,” suggesting a possible connection with the election.<\/p>\n\n\n\n

In this incident, the TransparentTribe group utilized a phishing document named “Recommendation for the award of President’s.docm.” The malicious file was concealed within this document and, upon execution, would run the embedded VBA script to extract and execute the malicious program within the file. The ultimate payload used in this attack was the CrimsonRAT remote control program, a common Trojan used by the TransparentTribe attack group. This RAT is capable of collecting system information, downloading and running files, and stealing sensitive information, posing a significant threat.<\/p>\n\n\n\n

Introduction of TransparentTribe<\/h2>\n\n\n\n

TransparentTribe, also known as ProjectM or APT 36, is an APT attack group originating from Pakistan. It primarily targets India, Kazakhstan, and Afghanistan. The group’s main objectives are defense, military, embassies, and governments. Their activities date back to as early as 2012. Recently, they have been using phishing emails to deliver malicious docm and xlam documents, utilizing VBA scripts in the documents to release malicious programs, with the aim of stealing user information.<\/p>\n\n\n\n

Bait Information<\/h2>\n\n\n\n

In this incident, the bait document used by TransparentTribe was named “Recommendation for the award of President’s.docm.” The document’s content pertains to a document sent by the “Government of India Ministry of Home Affairs, Police-I Division” to various Indian government departments. The document impersonates an official document issued by the Indian government on October 17, 2023, mainly discussing recommendations for the award of the President’s Distinguished Service Medal and the Meritorious Service Medal on Republic Day 2024. This confirms that the target of this attack is Indian government departments.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 1:  The bait document executed after the phishing email<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

In November 2023, a historical phishing email appeared, also using a bait document containing malicious VBA scripts. The document was named “Monthly Report MAP.xlam.” Upon execution, it prompts to enable macros, and if the user clicks to enable, the VBA script will execute, leading to subsequent malicious operations; it also pops up a normal Excel file to cover up the malicious operations.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 2:  The bait document executed after the phishing email (1)<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n

\n
\"Red<\/a>
Figure 3:  The bait document executed after the phishing email (2)<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n

\n
\"Red<\/a>
Figure 4:  The bait document executed after the phishing email (3)<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

It can be seen that this APT group has recently favored impersonating official documents issued by government departments when constructing bait content, using highly targeted content such as government documents and forms. This narrows the scope of the attack, targeting specific targets.<\/p>\n\n\n\n

Technical Analysis<\/h2>\n\n\n\n

Different from the group’s previous method of using a downloader to execute remote links to obtain subsequent programs, we have observed that the group’s recent activities prefer to hide the ultimate payload within the bait document.<\/p>\n\n\n\n

The phishing file in this instance is named “Recommendation for the award of President’s.docm.”<\/p>\n\n\n\n

The attack process executed after opening this phishing file is as follows:<\/p>\n\n\n\n

1. Execute the malicious VBA script;<\/p>\n\n\n\n

2. The script will decompress the current file and store the file in the download directory;<\/p>\n\n\n\n

3. The script decompresses the document, extracting the word\\media\\image1.png file;<\/p>\n\n\n\n

4. The script changes the extension of image1.png to .zip, decompresses it, and extracts the image1.exe file;<\/p>\n\n\n\n

5. The script renames image1.exe to itmvroidovs.scr and runs it, which is the ultimate payload CrimsonRAT;<\/p>\n\n\n\n

6. The script changes the extension of word\\media\\image2.png to .docx and runs it, using it as a decoy to confuse the attacked user.<\/p>\n\n\n\n

\"Red<\/a>
 Figure 5:  The “Recommendation for the award of President’s.docm” file executing the malicious VBA script<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

CrimsonRAT Analysis<\/h2>\n\n\n\n

CrimsonRAT is the main Trojan program used by TransparentTribe, with primary functions such as obtaining system information, capturing screenshots, collecting victim host processes, and driver information. It also supports downloading, running files, and stealing sensitive information.<\/p>\n\n\n\n

Combining the bait creation time with the official report release time, the timestamp is likely to be genuine, indicating that this incident is a recent attack launched by TransparentTribe.<\/p>\n\n\n

\n
\"Red<\/a>
 Figure 6:  The author and creation time of the bait document<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n

\n
\"Red<\/a>
Figure 7:  The timestamp of the final payload Trojan<\/figcaption><\/figure>\n<\/div>\n\n\n

 <\/p>\n\n\n\n

In this attack incident, the CrimsonRAT Trojan program used has a timestamp of December 16, 2023, which is not much different from the version on October 12, 2023. The main change is the modification of the obfuscation character “_” in the string to evade detection.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 8:  Partial string obfuscation changes, the right side is the new version<\/figcaption><\/figure>\n<\/div>\n\n\n

 <\/p>\n\n\n\n

TransparentTribe used a version of CrimsonRAT with the version number “S.F.0.3” in November 2023, but in this activity, the CrimsonRAT has increased the version number obfuscation, confusing the version number into “A._E.0._6”, using this method to evade detection:<\/p>\n\n\n

\n
\"Red<\/a>
 Figure 9:  CrimsonRAT version number, the right side is the new version.<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

The version found on October 12 is somewhat different from the previously found versions, adding obfuscation strings “_” to a large number of key strings, and all the versions found recently have been done through this string obfuscation method:<\/p>\n\n\n

\n
\"Red<\/a>
 Figure 10:  Comparison of the October 2023 version with earlier versions<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Attribution of Attackers<\/h2>\n\n\n\n

NSFOCUS Security Research Labs found the following attribution items in this APT incident:<\/p>\n\n\n\n