Researchers probe RAT cyber attackers
An investigation into an ongoing campaign launched by a group known as Transparent Tribe to distribute the Crimson Remote Access Trojan (RAT) has revealed that the attacks started with malicious Microsoft Office documents being sent to the victims through the use of spear-phishing emails.
In only a year Kaspersky researchers found more than 1 000 targets across 30 countries.
The research also revealed previously unknown components of Crimson RAT, indicating that it is still under development. These are among the findings from the first part of the investigation.
Transparent Tribe, also known as ProjectM and Mythic Leopard, is a prolific group that is well-known in the cybersecurity industry for its massive espionage campaigns. Its activity can be traced back as far as 2013.
Its favourite method of infection is malicious documents with an embedded macro; and its main malware is a custom .net rat, publicly known as Crimson Rat.
This tool, composed of different components, allows the attacker to perform multiple activities on infected machines; from managing remote file systems and capturing screenshots to perform audio surveillance using microphone devices, record video streams from webcams and steal files from removable media.
While the group’s tactics and techniques have remained consistent over the years, the research has shown that the group has constantly created new programmes for specific campaigns.
Last year the researchers spotted a .net file that was detected by the company’s products as Crimson Rat. A deeper investigation, however, has shown that it was something different; a new server-side Crimson Rat component used by the attackers to manage infected machines.
Coming in two versions, it was compiled in 2017, 2018 and 2019, indicating that this software is still under development and the Advanced Packaging Tool (APT)group is working on improving it.
Considering all components that have been detected between June 2019 and June 2020, researchers have found 1 093 targets across 27 countries; most affected being Afghanistan, Pakistan, India, Iran, and Germany.
Security expert at Kaspersky Giampaolo Dedola says their investigation indicates that Transparent Tribe continues to run a high amount of activity against multiple targets.
“In the last 12 months we observed a broad campaign against military and diplomatic targets, using big infrastructure to support its operations and continuous improvements in its arsenal. The group continues to invest in its main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We don’t expect any slowdown from this group in the near future and we’ll continue to monitor its activities.” Dedola adds.