Suspected Threat Actors: Transparent Tribe (AKA APT36, Mythic Leopard)
Researchers have observed a new campaign attributed to Transparent Tribe that targets the Indian government and military entities. The APT actor group used new stagers and implants alongside, their well-known choice of malware – CrimsonRAT. Active since at least June 2021, in this campaign the threat actor used their common tactic of leveraging fake domains impersonating governmental and related organizations to deliver malicious payloads. They used multiple payload delivery mechanisms which included malicious installers masquerading as legitimate applications, archive files, and maldocs to target Indian entities and individuals.
The infection chain resulted in the deployment of three different types of implants – two of them being previously unobserved:
The downloader executables were contained in different types of lures related to the Indian government and themed around topics such as COVID-19, resumes, and installers for government applications (Kavach multi-factor authentication application).
The use of new custom-made malware in addition to the commonly used RATs by the threat actor group, indicates they are expanding their malware portfolio likely to achieve a high rate of success. Another common trend, observed by researchers includes Transparent Tribe’s ability to quickly develop and deploy bespoke, small & lightweight stagers and downloaders – which can be modified or discarded with ease allowing quick and agile operations. These stagers and downloaders lead to the deployment of their actual implants which points toward their intent to maintain long-term access to targets’ networks and systems.
A highly active APT group in the Indian subcontinent, the Transparent Tribe primarily targets government and military personnel in Afghanistan and India. The use of multiple types of delivery mechanisms and file formats indicates that the group is aggressively trying to infect their targets.
A new campaign spotted by researchers reveals that instead of targeting Ukrainians, aim for Russian citizens and government entities. In this spear-phishing campaign, the email content suggested the threat actor’s target is individuals who are against the Russian government. Using an intimidating lure, the individuals are warned about the use of banned websites, social networks, instant messengers, and VPN services by the Russian government and criminals charges that will follow. The spear-phishing emails pretend to be from the Russian “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation” and “Federal Service for Supervision of Communications, Information Technology and Mass Communications”. Two of the documents observed by researchers in this campaign were designed to exploit the vulnerability CVE-2021-40444 using a new exploit variant called CABLESS. The emails observed had malicious RTF or archive files as an attachment or had a link in the email body that eventually lead to the Cobalt Strike infection.
Researchers have highlighted that although CVE-2021-40444 has been used by attackers in the past, the threat actor in this campaign used an RTF file instead of a Word document to exploit this vulnerability.
Similar activity has also been spotted by researchers that used similar lures, however, led by another threat actor. They suspect this activity potentially relates to Carbon Spider (AKA FIN7) and deployed a PowerShell-based RAT. This comes as no surprise as multiple threat actors including APT groups are trying to take advantage of the opportunity presented by the ongoing war in Ukraine.
Security experts have identified several vulnerabilities in popular Wyze Cam devices allowing outside attackers to widespread access to camera feeds and SD cards. The vulnerabilities include:
The CVE-2019-9564 allows for full control of a device, including the ability to control its motion, disable recording, turn the camera on or off, and more. While it does not allow read access to the live audio and video feed but when combined with CVE-2019-12266 the exploitation is straightforward.
It should be noted that the vulnerability disclosure timeline spans three years due to the vendor’s logistic and hardware limitations. Situations like these are concerning as malicious actors may have already found the flaw and exploited it during this period.
According to experts, most camera devices like these are managed by non-IT organizations that often do not have the training or budget to ensure all IoT devices run a secure version of the firmware. This results in long delays in releasing patches to critical flaw as compared to traditional IT system which further keeps an open attack window.