Kaspersky has today published its research about an ongoing campaign by the APT group Transparent Tribe, which revealed espionage activities against military and diplomatic targets. The attacks started with malicious Microsoft Office documents being sent to the victims through the use of spear-phishing emails. Researchers also discovered new, previously unknown components of the Crimson Remote Access Trojan (RAT), indicating that it is still under development.

Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a prolific group that is well-known in the cybersecurity industry for its massive espionage campaigns. The group's activity can be traced back as far as 2013, and Kaspersky has been following the group since 2016.

Transparent Tribe's favorite method of infection is malicious documents with an embedded macro. Their main malware is a custom .NET RAT publicly known as Crimson RAT. This tool is composed of different components, allowing the attacker to perform multiple activities on infected machines. This can include anything from managing remote file systems and capturing screenshots, to performing audio surveillance using microphone devices, recording video streams from webcams and stealing files from removable media.

While the group's tactics and techniques have remained consistent over the years, Kaspersky research has shown that the group has constantly created new programs for specific campaigns. During its exploration into the group's activities in the last year, Kaspersky researchers spotted a .NET file that was detected by the company's products as Crimson RAT. However, a deeper investigation has shown that it was something different: a new server-side Crimson RAT component used by the attackers to manage infected machines. Coming in two versions, it was compiled in 2017, 2018 and 2019, indicating that this software is still under development and the APT group is working on ways to improve it.

With the updated list of components used by Transparent Tribe, Kaspersky was able to observe the group's evolution and how it enhanced its activities by starting massive infection campaigns, developed new tools and increased its attention on Afghanistan.

Overall, considering all components that have been detected between June 2019 and June 2020, Kaspersky researchers have found 1,093 targets across 27 countries. The most affected nations are Afghanistan, Pakistan, India, Iran and Germany.

     Top 5 targeted countries from June 2019 to June 2020, distinct users

"Our investigation indicates that Transparent Tribe continues to run a high amount of activity against multiple targets," said Giampaolo Dedola, security expert at Kaspersky. "During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal. The group continue to invest in its main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We don't expect any slowdown from this group in the near future and we'll continue to monitor its activities."

Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed on Kaspersky Threat Intelligence Portal.

For further details on the new exploits, see the full report on Securelist.

Learn more about this APT group's activity in the upcoming webinar GReAT Ideas. Powered by SAS: advancing on new fronts - tech, mercenaries and more, which will take place on August 26 at 2 pm GMT. Register for free here: https://kas.pr/v1oj