SentinelLabs has been tracking a recently disclosed cluster of malicious Office documents that distribute the Crimson RAT used by the APT36 group (also known as Transparent Tribe) targeting the education sector.
Transparent Tribe is a suspected Pakistan-based threat group active since at least 2013. The group is not very sophisticated; however, it is a highly persistent threat actor that continuously adapts its operational strategy. Transparent Tribe has previously focused mainly on Indian military and government personnel, but it has recently expanded its scope to include educational institutions and students in the Indian subcontinent. Crimson RAT is a consistent staple in the group’s malware arsenal the adversary uses in its campaigns.
The names and content of the lure documents, the associated domains, and the use of Crimson RAT suggest that Transparent Tribe’s activities are part of a previously reported broader targeting of the education sector by the adversary.
Further, the PDB paths of some Crimson RAT samples SentinelLabs analysed contain the word Wibemax, which is also contained in the PDB paths of Crimson RAT payloads observed in a previous Transparent Tribe campaign.
Wibemax matches the name of a Pakistani software development company, but at this time SentinelLabs have not identified a clear relationship to the adversary. It is worth noting that there are high confidence assessments of Transparent Tribe involving third parties supporting their operations, such as the Pakistani web hosting provider Zain Hosting.
This activity further underscores the view that closely monitoring the research endeavours of adversary nations has become an important objective for the adversary, underscoring the crucial role this activity plays in fulfilling the goals and aspirations of the authorities whose interests Transparent Tribe represents.
Key points
- SentinelLabs has been tracking a cluster of malicious documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe).
- The team assess that this activity is part of the group’s previously reported targeting of the education sector in the Indian subcontinent.
- SentinelLabs observed APT36 introducing OLE embedding to its typically used techniques for staging malware from lure documents and versioned changes to the implementation of Crimson RAT, indicating the ongoing evolution of APT36’s tactics and malware arsenal.
Conclusion
Transparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal, operational playbook, and targets. SentinelLabs’ analysis further demonstrates this characteristic of the group by spotlighting the adoption of OLE embedding as a technique for staging malware from lure documents and the Eazfuscator obfuscator to protect Crimson RAT implementations. Transparent Tribe’s constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group.
The full report that summarises SentinelLabs’ observations can be found online.
