Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Transparent Tribe: Evolution analysis, part 2
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Transparent Tribe: Evolution analysis, part 2
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 12,787
Threads: 8,835
Thanks Received: 8,729 in 6,890 posts
Thanks Given: 9,631
Joined: 12 September 18
#1
Bug  26 August 20, 18:03
Quote:
[Image: sl_transparent_tribe_p2_03.png]

Background + Key findings

Transparent Tribe, also known as PROJECTM or MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. In the last four years, this APT group has never taken time off. They continue to hit their targets, which typically are Indian military and government personnel.

This is the second of two articles written to share the results of our recent investigations into Transparent Tribe. In the previous article, we described the various Crimson RAT components and provided an overview of impacted users. Here are some of the key insights that will be described in this part:
  • We found a new Android implant used by Transparent Tribe for spying on mobile devices. It was distributed in India disguised as a porn-related app and a fake national COVID-19 tracking app.
  • New evidence confirms a link between ObliqueRAT and Transparent Tribe.
Android implant

During our analysis, we found an interesting sample, which follows a variant of the previously described attack scheme. Specifically, the attack starts with a simple document, which is not malicious by itself, does not contain any macro and does not try to download other malicious components, but it uses social engineering tricks to lure the victim into downloading other documents from the following external URLs:

hxxp://sharingmymedia[.]com/files/Criteria-of-Army-Officers.doc
hxxp://sharingmymedia[.]com/files/7All-Selected-list.xls
The remote files are two Microsoft Office documents with an embedded malicious VBA, which behaves similarly to those described in the previous article and drops the Crimson “Thin Client”. The domain sharingmymedia[.]com was even more interesting: it was resolved with the IP 89.45.67[.]160 and was registered on 2020-01-10 using Namesilo and the following information:

Registrant Name: bluff hunnter
Registrant Organization:
Registrant Street: India Dehli
Registrant City: Dehli
Registrant State/Province: Delhi
Registrant Postal Code: 110001
Registrant Country: IN
Registrant Phone: +91.4214521212
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: hunterbluff007@gmail.com

The same information was used to register another domain, sharemydrives[.]com, which was registered seven days before, on 2020-01-03, using Namesilo. DNS resolution points to the same IP address: 89.45.67[.]160.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Advanced SystemCare PRO 17
Advanced SystemCare ...zevish — 10:04
How to install iOS 16 or iPadOS 16 publ...
IPhone X I Just buyi...thomasan — 08:30
Brave 1.65.114
Release Channel 1....harlan4096 — 06:53
Brave Search: Answer with AI takes over,...
Brave Search's new...harlan4096 — 06:33
Waterfox G6.0.12
Waterfox G6.0.12​ ...harlan4096 — 15:56

[-]
Birthdays
Today's Birthdays
avatar (47)oapedDow
avatar (40)Sanchowogy
Upcoming Birthdays
avatar (43)wapedDow
avatar (42)techlignub
avatar (41)Stevenmam
avatar (48)onlinbah
avatar (49)steakelask
avatar (43)Termoplenka
avatar (41)bycoPaist
avatar (47)pieloKat
avatar (41)ilyagNeexy
avatar (49)donitascene
avatar (49)Toligo
avatar (36)RobertUtelt

[-]
Online Staff
There are no staff members currently online.

>