1. Home
  2. Groups
  3. Transparent Tribe

Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]

ID: G0134
Associated Groups: COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.0
Created: 02 September 2021
Last Modified: 25 October 2021

Associated Group Descriptions

Name Description
COPPER FIELDSTONE

[4]
APT36

[3]
Mythic Leopard

[5][2][3]
ProjectM

[6][2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.[1][3]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Transparent Tribe has crafted VBS-based malicious documents.[1][2]

Enterprise T1584 .001 Compromise Infrastructure: Domains

Transparent Tribe has compromised domains for use in targeted malicious campaigns.[1]
Enterprise T1189 Drive-by Compromise

Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[1][6][3]
Enterprise T1568 Dynamic Resolution

Transparent Tribe has used dynamic DNS services to set up C2.[1]
Enterprise T1203 Exploitation for Client Execution

Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.[1]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[2]
Enterprise T1027 Obfuscated Files or Information

Transparent Tribe has dropped encoded executables on compromised hosts.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.[1][2][7][3][6]

.002 Phishing: Spearphishing Link

Transparent Tribe has embedded links to malicious downloads in e-mails.[7][3]
Enterprise T1608 .004 Stage Capabilities: Drive-by Target

Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[1][6][3]
Enterprise T1204 .001 User Execution: Malicious Link

Transparent Tribe has directed users to open URLs hosting malicious content.[7][3]
.002 User Execution: Malicious File

Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.[1][2][7][3][6]

Software

ID Name References Techniques
S0115 Crimson [1] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data from Removable Media, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Non-Application Layer Protocol, Peripheral Device Discovery, Process Discovery, Query Registry, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Video Capture, Virtualization/Sandbox Evasion: Time Based Evasion
S0334 DarkComet [6] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0644 ObliqueRAT [7] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Data Staged: Local Data Staging, Data Transfer Size Limits, File and Directory Discovery, Obfuscated Files or Information: Steganography, Peripheral Device Discovery, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery, User Execution: Malicious Link, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0643 Peppy [6] Application Layer Protocol: Web Protocols, Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Screen Capture

References

  1. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  2. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  3. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  4. Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021.
  1. Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021.
  2. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
  3. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.