The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in intrusions directed against the Indian education sector to deploy a continuously maintained piece of malware called Crimson RAT.
While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education vertical.
“Crimson RAT is a consistent staple in the group’s malware arsenal the adversary uses in its campaigns,” SentinelOne researcher Aleksandar Milenkoski said in a report shared with The Hacker News.
Last month, ESET attributed Transparent Tribe to a cyber espionage campaign aimed at infecting Indian and Pakistani Android users with a backdoor called CapraRAT.
An analysis of Crimson RAT samples has revealed the presence of the word “Wibemax,” corroborating a previous report from Fortinet. While the name matches that of a Pakistani software development company, it’s not immediately clear if it shares any direct connection to the threat actor.
The documents analyzed by SentinelOne feature education-themed content and names like assignment or Assignment-no-10, and make use of malicious macro code to launch the Crimson RAT. Another method concerns the use of OLE embedding to stage the malware.
This, in turn, tricks users into double-clicking the graphic to view the content, thereby activating an OLE package that stores and executes the Crimson RAT masquerading as an update process.
Crimson RAT variants have also been observed to delay their execution for a specific time period spanning anywhere between a minute and four minutes, not to mention implement different obfuscation techniques using tools like Crypto Obfuscator and Eazfuscator.
Source: https://thehackernews.com/
