Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research.

The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other malicious domains posing as file-sharing sites to host malicious artifacts.

“While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting,” researchers from Cisco Talos said on Thursday.

These domains are used to deliver maldocs distributing CrimsonRAT, and ObliqueRAT, with the group incorporating new phishing, lures such as resume documents, conference agendas, and defense and diplomatic themes into its operational toolkit. It’s worth noting that APT36 was previously linked to a malware campaign targeting organizations in South Asia to deploy ObliqueRAT on Windows systems under the guise of seemingly innocuous images hosted on infected websites.

ObliqueRAT infections also tend to deviate from those involving CrimsonRAT in that the malicious payloads are injected on compromised websites instead of embedding the malware in the documents themselves. In one instance identified by Talos researchers, the adversaries were found to use the Indian Industries Association’s legitimate website to host ObliqueRAT malware, before setting up fake websites resembling those of legitimate entities in the Indian subcontinent by making use of an open-source website copier utility called HTTrack.

Another fake domain set up by the threat actor masquerades as an information portal for the 7th Central Pay Commission (7CPC) of India, urging victims to fill out a form and download a personal guide that, when opened, executes the CrimsonRAT upon enabling macros in the downloaded spreadsheet. In a similar vein, a third rogue domain registered by the attackers impersonates an Indian think tank called Center For Land Warfare Studies (CLAWS).

“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” the researchers said. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”

In expanding its victimology, switching up its malware arsenal, and designing convincing lures, the threat actor has exhibited a clear willingness to lend its operations a veneer of legitimacy in hopes that doing so would increase the likelihood of success.

“Transparent Tribe’s tactics, techniques, and procedures (TTPs) have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit,” the researchers said. “The variety of maldoc lures Transparent Tribe employs indicates the group still relies on social engineering as a core component of its operations.”