Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact

Targeting India's government, defense, and aerospace sectors, the cyber-threat group now attacks Linux as well as Windows in its quest to compromise the Indian military's homegrown MayaOS Linux systems.

4 Min Read
A pixelated Pakistan flag
Source: Muhammad Toqeer via Alamy Stock Photo

A Pakistan-linked cyber-espionage group has pivoted to a wider variety of legitimate software techniques in an attempt to bypass cybersecurity defenses, including targeting Linux as much as Windows and incorporating into its attacks legitimate cloud services, including Google Drive and Telegram.

The group, dubbed Transparent Tribe, historically has targeted government agencies and defense firms in India with cyberattacks that attempt to compromise Windows systems and Android devices. In its latest campaign, however, the group has favored Linux systems over Windows computers, with 65% of attacks using Linux Executable and Linkable Format (ELF) binaries that target India's homegrown MayaOS distribution.

The latest campaigns are not a departure in targeting, since the group in the past has been laser-focused on compromising India's government, military, and private industry, says Ismael Valenzuela, vice president of threat intelligence and research at cybersecurity firm BlackBerry.

"Over the years, the group has targeted other nations [and] regions beyond India — namely the US, Europe, and Australia — however, its primary target seemingly remains as India," he says. "The group has heavily leveraged lures associated to target the Indian government or its various governing bodies of the nation."

The South Asia region has an active cyber-threat landscape. The India-linked Sidewinder group has targeted Pakistan in the past, but also Turkey and China, while the Patchwork group has targeted Pakistanis through seeding the Google Play store with malicious Android apps. The China-linked Evasive Panda group has targeted Tibetan nationals in India and the United States, while another group, dubbed ToddyCat, has targeted groups in Vietnam and Taiwan.

Transparent Tribe, also known as APT36 and Earth Karkaddan, has previously used romance scams to distribute the CapraRAT Android malware against target Indian government officials with information on the Kashmir region. Meanwhile, Pakistan has strived to improve its cybersecurity posture, steering $18 million in funding for cybersecurity research and adding $36 million to its budget to develop better cybersecurity technical capabilities.

The Tribe Adds Linux to Its Targets

Overall, Transparent Tribe is not considered to be very sophisticated, but has had good success by mixing up its tactics. The latest attacks include multiple cross-platform programming languages, the abuse of legitimate services, a variety of payloads and infection vectors, and the use of new delivery mechanisms, Valenzuela says.

The group's use of cross-platform programming languages — including Python, Golang, and Rust — allows it to create programs for both Windows and Linux, an important capability since India's military widely uses its MayaOS Linux distribution. The latest attack uses ELF binaries to distribute a Python-based downloader, which leads to a Linux-based exfiltration utility, BlackBerry stated in its analysis.

"These ELF binaries had minimal detections on VirusTotal likely due to their lightweight nature and dependency on Python," the analysis stated.

Transparent Tribe has played with Linux compromises for at least a year, according to other security firms. In certain situations, Transparent Tribe appears to target Linux systems using a "desktop entry file" that appears to be a Microsoft Office document, Zscaler stated in a September 2023 analysis. Desktop entry files provide information and commands that Linux desktop systems use to take actions after a user selects a menu item.

"The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before," Zscaler stated in the 2023 analysis. "This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples — all of which have [zero] detection on VirusTotal."

Past samples have included Android malware, but BlackBerry has not seen any sign of Android targets in the latest campaigns.

Dressing Malware in Legitimate Trappings

Transparent Tribe uses legitimate tools and services as part of its attack infrastructure, extending the living-off-the-land trend. The group uses email and compromised websites to host files, but also employs Google Drive to bypass checks of compromised domains. The use of VoIP and instant messenger apps like Discord and Telegram appears to be a new approach, BlackBerry's Valenzuela says.

"If a service, tool, [or] software can be misused, it could become a vector of compromise or part of the attack chain — this could enable an APT group to seemingly fly under the radar and, from a networking perspective, hide in plain sight," he says. "The weaponization of legitimate tooling is not a new phenomenon, with many commodity TAs [threat actors] and APT groups leveraging seemingly benign and legitimate tools illicitly for their own gain and goals."

While other groups have targeted Windows systems using ISO images — which typically appear as disks to the operating system — Transparent Tribe only started using ISO images toward the end of 2023, according to BlackBerry.

The ISO images discovered by BlackBerry used one of two PDF lures: a document discussing staff changes to the military's pension system and another discussing a loan application for army personnel. Both ISOs, however, delivered a Python-based Telegram bot that attempted to compromise targets using Windows portable executable (PE) files.

"While this is a common technique in the wider threat landscape," Valenzuela says, "it appears to be the first time this group has adopted [ISO images] as part of their attack chain."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights