In the world of cybercrime, anyone can be a target. That goes specifically for malware operators as they don’t differentiate between victims as long as their profiting in the process. Usually, to earn big money or data, threat actors target reputable companies. But that’s not the case with Transparent Tribe.
Recent events show a different approach the advanced persistent threat (APT) group is targeting students in India with continuous phishing attacks.
The group that is suspected to be of Pakistani origin is known to strike government entities. So why the shift in operations? Why is it targeting educational institutions through students? We’ll discuss everything below.
Transparent Tribe – Several Aliases, One Goal
The number of ransomware attacks targeting schools and universities has been skyrocketing in the past couple of months. That’s mainly due to the fact that these institutions have low to no security measures implemented.
As a result, attackers can easily breach them and they struggle to recover after their networks have been hit. The adversary’s typical focus used to be on government entities.
However, as of recently, this focus shifted to include civilians as well. According to Cisco:
“This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users.”
The threat actors have had many aliases along the way. Cybersecurity firms have tracked them as APT36, Operation C-Major, PROJECTM, as well as Mythic Leopard.
Transparent Tribe started its operations back in 2013, and ever since, it’s been tracked by numerous security firms. Apparently, it’s of Pakistani origin.
The Malicious Campaign Kicks Off
India-based K7 Labs reported that the campaign started back in May and has infiltrated educational institutions in the Indian region. Based on what Cisco Talos researchers found:
“The latest targeting of the educational sector may align with the strategic goals of espionage of the nation-state. APTs will frequently target individuals at universities and technical research organizations in order to establish long term access to siphon off data related to ongoing research projects.”
The group works by sending phishing emails with an attachment – a typical phishing attack. This ultimately leads to the deployment of some sort of malware. In Transparent Tribe’s case, it’s none other than the malicious CrimsonRAT.
In this campaign, social engineering plays a huge role to obtain better success rates. Once they fall for the trick and CrimsonRAT takes root, the attackers will gain long-term access into victim networks as well as exfiltrate data of interest to a remote server.
As we mentioned, CrimsonRAT is dangerous due to several reasons, especially the capabilities it provides the attackers with. Once they deploy it, they can capture screenshots, steal browser credentials, record keystrokes, and execute arbitrary commands.
The fake documents come in the form of education-themed domains (e.g., “studentsportal[.]co”), with the infrastructure operated by a Pakistani web hosting services provider that goes by the name of Zain Hosting.
The ABCs of Cybercrime: A Not-So-Transparent Attack
Phishing campaigns are getting more popular as time goes by. So far, the cybersecurity firms tracking this campaign did not figure out the Transparent Tribe’s main intentions.
However, what starts with phishing can be stopped in its tracks by doing one thing – never click on the link within the email.
The attack requires you to download a malicious attachment. If you avoid that, you’ll avoid this entire predicament. Stay safe.