Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/26/2020
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Transparent Tribe' APT Group Deploys New Android Spyware for Cyber Espionage

The group, which has been around since at least 2013, has impacted thousands of organizations, mostly in India.

Transparent Tribe, an advanced persistent threat (APT) group that has been active since at least 2013, has begun deploying a new mobile malware tool in its cyber espionage campaigns.

Researchers from Kaspersky this week reported observing the group actively targeting Android users in India with spyware disguised as a couple of popular apps.

Related Content:

RedCurl APT Group Hacks Global Companies for Corporate Espionage

DeathStalker APT Targets SMBs with Cyber Espionage

Once installed on a system, the malware has been observed downloading new apps and accessing SMS messages, call logs, and the device's microphone. Transparent Tribe's new Android spyware tool also tracks an infected device's location and enumerates and uploads files from it to a remote attacker-controlled server, Kaspersky said in a report Wednesday.

Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team, says available data suggests the attackers are hosting the Android package files on specific websites and luring users to those locations via social engineering.

According to Kaspersky, one of the two Android applications that Transparent Tribe is using to distribute the spyware is an open source video player that, when installed, serves up an adult video as a distraction while installing additional malware in the background. The second app masquerades as "Aarogya Setu," a COVID-19 tracking app developed by the Indian government's National Informatics Center.

Both apps try to install another Android package file on the compromised system. The package is a modified version of AhMyth, an open source Android remote access tool (RAT) that is freely available for download on GitHub. According to Kaspersky, the modified version lacks some features available on the original, such as the ability to steal pictures from an Android phone. But it also includes new features that improve the malware's data exfiltration capabilities.

"The malware looks interesting because Transparent Tribe is investing in it and is modifying the code according to their needs," Dedola says. "It probably means [the malware] will be used in future attacks, and defenders should keep an eye on this threat to prevent the infections."

Transparent Tribe's latest malware highlights the threat group's constant efforts to expand its toolset and its operations, according to Dedola.

Highly Active
Transparent Tribe, aka PROJECTM and MYTHIC LEOPARD, is a highly active threat group that has been mainly targeting Indian military, government, and diplomatic targets. The group's primary malware up until now has been "Crimson RAT," a custom .NET-based RAT delivered via malicious documents with an embedded macro. Kaspersky researchers have also observed the group using another .NET- and Python-based RAT called Peppy.

An analysis by Kaspersky — and another one in 2016 by Proofpoint — identified Crimson as Transparent Tribe's primary tool for conducting cyber espionage, at least thus far. The multi-component tool is equipped with a wide range of capabilities, including those that allow an attacker to remotely manage file systems on infected computers, upload or download files, capture screenshots, record keystrokes, record audio and video, and steal passwords stored in browsers. Among the components in the Crimson framework is "USB Worm," a tool that Kaspersky described as capable of stealing files from removable drives and spreading to other systems by infecting removable media.

According to Dedola, though Transparent Tribe is a highly active group, it is not especially sophisticated. The group uses a fairly simply infection chain based on spear-phishing emails and documents with embedded VBA code. The group also has a tendency to reuse open source malware and exploits.

"What makes this group particularly dangerous is the number of activities," Dedola notes. "Since the first operations, they never stopped their attacks, and they were able to compromise thousands of victims, which are probably related to government or military organizations. It seems they don't need zero-day exploits or kernel-mode malware to achieve their goals."

Over the past year, Transparent Tribe has been observed engaging in targeted attacks on organizations in Afghanistan and multiple other countries. But it is likely that the victims in these countries have ties to India and Afghanistan, Dedola says.

"Based on malicious documents used to infect the victims and information on previous attacks, we know they target military and diplomatic personnel," he says. "We suppose they are politically motivated due to the type of victims and the use of espionage tools developed to steal information."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Who knew face masks could also prevent the PII from spreading
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...