Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.^[1]^[2]^[3]

ID: G0134

ⓘ

Associated Groups: COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM

Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation

Version: 1.2

Created: 02 September 2021

Last Modified: 10 April 2024

Associated Group Descriptions

Name	Description
COPPER FIELDSTONE	^[4]
APT36	^[3]
Mythic Leopard	^[5]^[2]^[3]
ProjectM	^[6]^[2]

Campaigns

ID	Name	First Seen	Last Seen	References	Techniques
C0011	C0011	December 2021 ^[7]	July 2022 ^[7]	^[7]	命令与脚本解释器: Visual Basic, 开发能力: Digital Certificates, 暂存能力: Upload Malware, 用户执行: Malicious Link, 用户执行: Malicious File, 获取基础设施: Domains, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.^[2]
Enterprise	T1568		动态解析	Transparent Tribe has used dynamic DNS services to set up C2.^[1]
Enterprise	T1059	.005	命令与脚本解释器: Visual Basic	Transparent Tribe has crafted VBS-based malicious documents.^[1]^[2] For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.^[7]
Enterprise	T1584	.001	基础设施妥协: Domains	Transparent Tribe has compromised domains for use in targeted malicious campaigns.^[1]
Enterprise	T1203		客户端执行漏洞利用	Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.^[1]
Enterprise	T1587	.003	开发能力: Digital Certificates	For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.^[7]
Enterprise	T1608	.001	暂存能力: Upload Malware	For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.^[7]
		.004	暂存能力: Drive-by Target	Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.^[1]^[6]^[3]
Enterprise	T1189		浏览器攻击	Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.^[1]^[6]^[3]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Transparent Tribe has dropped encoded executables on compromised hosts.^[1]
Enterprise	T1204	.001	用户执行: Malicious Link	Transparent Tribe has directed users to open URLs hosting malicious content.^[8]^[3] During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.^[7]
		.002	用户执行: Malicious File	Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.^[1]^[2]^[8]^[3]^[6] During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.^[7]
Enterprise	T1583	.001	获取基础设施: Domains	Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.^[1]^[3] For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.^[7]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.^[1]^[2]^[8]^[3]^[6] During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.^[7]
		.002	钓鱼: Spearphishing Link	Transparent Tribe has embedded links to malicious downloads in e-mails.^[8]^[3] During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.^[7]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.^[2]

Software

ID	Name	References	Techniques
S0115	Crimson	^[1]^[7]	从可移动介质获取数据, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 文件和目录发现, 查询注册表, 电子邮件收集: Local Email Collection, 移除指标: File Deletion, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 视频捕获, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 进程发现, 通过C2信道渗出, 通过可移动媒体复制, 非应用层协议, 音频捕获
S0334	DarkComet	^[6]	伪装: Match Legitimate Name or Location, 修改注册表, 剪贴板数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 混淆文件或信息: Software Packing, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 音频捕获
S0385	njRAT	^[1]	从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify System Firewall, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Compile After Delivery, 移除指标: File Deletion, 移除指标: Clear Persistence, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 非标准端口
S0644	ObliqueRAT	^[8]^[7]	从可移动介质获取数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 外围设备发现, 屏幕捕获, 数据传输大小限制, 数据分段: Local Data Staging, 文件和目录发现, 混淆文件或信息: Steganography, 用户执行: Malicious Link, 系统信息发现, 系统所有者/用户发现, 虚拟化/沙盒规避: System Checks, 视频捕获, 进程发现
S0643	Peppy	^[6]	命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 文件和目录发现, 自动化渗出, 输入工具传输, 输入捕获: Keylogging

Transparent Tribe

Associated Group Descriptions

Campaigns

Enterprise Layer

Techniques Used

Software

References