Transparent Tribe
Transparent tribe, also known as PROJECTM and MYTHIC LEOPARD, is an APT who has been known to be active since 2013 and often target the Indian military and government personnel. The have consistent patterns in how they target victims, often using malicious documents with embedded macros. Their malware which they commonly use, know as Crimson RAT, is a custom .NET RAT and over the years the have also used a Python based RAT known as Peppy.
They have recently started targeting Afghanistan in the past year with newer tools. Crimson server is the main tool used by the APT to conduct the management of remote file systems, screenshots, A/V surveillance, steal media, key log, steal password from browsers, and spread itself. There exists two versions of Crimson server, which suggests a development style process. The next part of this discovery is the speculated USBWorm, which is a bit more than a USB infector. It downloads and execute the “thin version” of the crimson client and infects removable devices with a copy of USBWorm itself. It also steals file of interests. It also hides itself in windows directories, mimicking windows directory icon and tricking the user into executing it.
This APT has shown that its willing to invest in its tool to further its campaign targeting military and diplomatic targets with vast infrastructure. They continue to use Crimson as their main RAT for espionage and have shown great potential trajectory. See the link below for the full article and IOC’s.
Sources: