Cybersecurity researchers warn of espionage campaign; India among the most affected nations

An espionage campaign is targeting military and government-related personnel, according to researchers at cybersecurity firm Kaspersky.

The firm in 2019 began an investigation into an ongoing campaign launched by a group known as Transparent Tribe to distribute the Crimson Remote Access Trojan (RAT).

Threat actors

According to Kaspersky, the group is also known as PROJECTM and MYTHIC LEOPARD is a prolific threat actor, well-known in the cybersecurity industry for its massive espionage campaigns.

The cyberattacks investigated by the firm included sending spear-phishing emails containing malicious Microsoft Office documents to the victims. Between June 2019 and June 2020, researchers have found 1,093 targets across 27 countries. The most affected nations are Afghanistan, Pakistan, India, Iran, and Germany, Kaspersky said.

“The research also revealed new, previously unknown components of Crimson RAT, indicating that it is still under development,” it said.

Methods

The group uses a custom .NET RAT malware, commonly known as Crimson RAT. The tool can help the attacker access the infected device and perform various activities including managing remote file systems, capturing screenshots, audio surveillance using microphone devices, record video streams from webcams and steal files from removable media on the device.

Kaspersky researchers spotted a .NET file during its investigation. It discovered a new server-side Crimson RAT component used by the attackers to manage infected machines during its analysis.

According to the report, the malware was compiled in 2017, 2018 and 2019 with two different versions indicating that this software is still under development.

“Our investigation indicates that the Transparent Tribe continues to run a high amount of activity against multiple targets. During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal. The group continues to invest in its main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We don't expect any slowdown from this group in the near future and we’ll continue to monitor its activities,” said Giampaolo Dedola, a security expert at Kaspersky.

The cybersecurity firm has provided detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers on its Kaspersky Threat Intelligence Portal.