Recent research has revealed that cybercriminals with potential links to Pakistan are employing social engineering tactics as part of a sophisticated espionage campaign targeting organizations in India. This operational strategy has become a critical aspect of their efforts to compromise various entities.
The cyberattacks are attributed to a group known as Transparent Tribe, also referred to as Operation C-Major, APT36, and Mythic Leopard. This group has been observed creating counterfeit domains that closely resemble those of legitimate Indian military, defense, and file-sharing sites, enabling them to distribute malicious software.
Initially focused on military and defense personnel, Transparent Tribe has expanded its scope, now targeting diplomatic missions, defense contractors, research institutions, and attendees of conferences. Researchers from Cisco Talos have noted this evolution, stating that the group is diversifying its victim profile to enhance its operational effectiveness.
The fraudulent domains are primarily utilized to distribute various malicious documents, including those associated with CrimsonRAT and ObliqueRAT. The group has incorporated new phishing strategies, deploying lures such as resume files and conference agendas, thereby increasing the sophistication of their attacks. APT36 was previously linked to a campaign that used seemingly harmless images on infected websites to deploy ObliqueRAT on Windows systems.
Distinct from attacks utilizing CrimsonRAT, ObliqueRAT infections typically leverage compromised websites to deliver payloads, rather than embedding malware directly within documents. Notably, researchers uncovered that the adversaries hosted ObliqueRAT on the legitimate site of the Indian Industries Association, while also fabricating websites similar to established entities in the Indian subcontinent using HTTrack, an open-source website copier.
One particular counterfeit site has been identified as masquerading as an information portal for India’s 7th Central Pay Commission, where it encourages victims to complete a form to download a personal guide that executes CrimsonRAT once macros are enabled in the downloaded spreadsheet. Additionally, another rogue domain impersonates the Indian think tank Center For Land Warfare Studies (CLAWS).
According to the researchers, Transparent Tribe heavily relies on malicious documents to propagate its Windows-based malware. While CrimsonRAT remains a primary component of their toolkit, the emergence and rapid dissemination of ObliqueRAT in early 2020 signal a strategic expansion of their malware capabilities.
This group’s adaptability, from broadening their victim base to refining their malware arsenal and enhancing their social engineering techniques, underscores a deliberate effort to cultivate an appearance of legitimacy within their operations. While their tactics and techniques have remained largely unchanged since 2020, the inclusion of diverse lures illustrates their ongoing reliance on social engineering to facilitate successful attacks.
