The Pakistan-nexus Transparent Tribe actor has been linked to a new set of attacks targeting Indian government, defense, and aerospace sectors using cross-platform malware written in Python, Golang, and Rust.
“This cluster of activity spanned from late 2023 to April 2024 and is anticipated to persist,” the BlackBerry Research and Intelligence Team said in a technical report published earlier this week.
The spear-phishing campaign is also notable for its abuse of popular online services such as Discord, Google Drive, Slack, and Telegram, once again underscoring how threat actors are adopting legitimate programs into their attack flows.
According to BlackBerry, the targets of the email-based attacks included three companies that are crucial stakeholders and clients of the Department of Defense Production (DDP). All the three companies targeted are headquartered in the Indian city of Bengaluru.
While the names of the firms were not disclosed, indications are that the email messages targeted Hindustan Aeronautics Limited (HAL), one of the largest aerospace and defense companies in the world; Bharat Electronics Limited (BEL), a government-owned aerospace and defense electronics company; and BEML Limited, a public sector undertaking that manufactures earth moving equipment.
Transparent Tribe is also tracked by the larger cybersecurity community under the names APT36, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.
The adversarial collective, believed to be active since at least 2013, has a track record of conducting cyber espionage operations against government, military, and education entities in India, although it has also undertaken highly targeted mobile spyware campaigns against victims in Pakistan, Afghanistan, Iraq, Iran, and the United Arab Emirates.
Furthermore, the group is known to experiment with new methods of intrusion and has cycled through different malware over the years, iterating on their tactics and toolkit many times over to evade detection.
Some of the notable malware families put to use by Transparent Tribe include CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo, with the latter two linked to a freelance developer group based out of Lahore.
These developers are “available for hire” and “at least one government employee moonlights as a mobile app developer,” mobile security firm Lookout noted way back in 2018.
Attack chains mounted by the group involve the use of spear-phishing emails to deliver payloads using malicious links or ZIP archives, particularly focusing their efforts on distributing ELF binaries due to the Indian government’s heavy reliance on Linux-based operating systems.
The infections culminated in the deployment of three different versions of GLOBSHELL, a Python-based information-gathering utility that was previously documented by Zscaler in connection with attacks targeting the Linux environment within Indian government organizations. Also deployed is PYSHELLFOX to exfiltrate data from Mozilla Firefox.
BlackBerry said it also discovered bash script versions and Python-based Windows binaries being served from the threat actor-controlled domain “apsdelhicantt[.]in” –
- swift_script.sh, a bash version of GLOBSHELL
- Silverlining.sh, an open-source command-and-control (C2) framework called Sliver
- swift_uzb.sh, a script to gather files from a connected USB driver
- afd.exe, an intermediate executable responsible for downloading win_hta.exe and win_service.exe
- win_hta.exe and win_service.exe, two Windows versions of GLOBSHELL
In what’s a sign of Transparent Tribe’s tactical evolution, phishing campaigns orchestrated in October 2023 have been observed making use of ISO images to deploy the Python-based remote access trojan that uses Telegram for C2 purposes.
It’s worth pointing out that the use of ISO lures to target Indian government entities has been an approach observed since the start of the year as part of two possibly related intrusion sets – a modus operandi the Canadian cybersecurity company stated “had the hallmark of a Transparent Tribe attack chain.”
Further infrastructure analysis has also unearthed a Golang-compiled “all-in-one” program that has the capability to find and exfiltrate files with popular file extensions, take screenshots, upload and download files, and execute commands.
The espionage tool, a modified version of an open-source project Discord-C2, receives instructions from Discord and is delivered via an ELF binary downloader packed within a ZIP archive.
“Transparent Tribe has been persistently targeting critical sectors vital to India’s national security,” BlackBerry said. “This threat actor continues to utilize a core set of tactics, techniques, and procedures (TTPs), which they have been adapting over time.”