In January 2019, Kaspersky started an investigation into an ongoing campaign launched by a group known as Transparent Tribe to distribute the Crimson Remote Access Trojan (RAT). The attacks started with malicious Microsoft Office documents being sent to the victims through the use of spear-phishing emails. In only a year, researchers have found more than 1,000 targets across almost 30 countries. The research also revealed new, previously unknown components of Crimson RAT, indicating that it is still under development. These are among the findings from the first part of the investigation, published by Kaspersky.

Transparent Tribe (also known as PROJECTM and MYTHIC LEOPARD) is a very prolific group that is well-known in the cybersecurity industry for its massive espionage campaigns. Its activity can be traced back as far as 2013 and Kaspersky has had an eye on the group since 2016.

Its favorite method of infection is malicious documents with an embedded macro. Its main malware is a custom .NET RAT - publicly known as Crimson RAT. This tool is composed of different components, allowing the attacker to perform multiple activities on infected machines – from managing remote file systems and capturing screenshots to perform audio surveillance using microphone devices, record video streams from webcams and steal files from removable media.

While the group’s tactics and techniques have remained consistent over the years, Kaspersky research has shown that the group has constantly created new programs for specific campaigns. During its exploration into the group’s activities in the last year, Kaspersky researchers spotted a .NET file that was detected by the company’s products as Crimson RAT. A deeper investigation, however, has shown that it was something different – a new server-side Crimson RAT component used by the attackers to manage infected machines. Coming in two versions, it was compiled in 2017, 2018 and 2019, indicating that this software is still under development and the APT group is working on ways to improve it.

With the updated list of components used by Transparent Tribe, Kaspersky was able to observe the group’s evolution and how it stepped up its activities, started massive infection campaigns, developed new tools and increased its attention on Afghanistan.

Overall, considering all components that have been detected between June 2019 and June 2020, Kaspersky researchers have found 1,093 targets across 27 countries. The most affected nations are Afghanistan, Pakistan, India, Iran, and Germany.

>

Top 5 targeted countries from June 2019 to June 2020, distinct users

“Our investigation indicates that Transparent Tribe continues to run a high amount of activity against multiple targets. During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal. The group continue to invest in its main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We don't expect any slowdown from this group in the near future and we’ll continue to monitor its activities,” comments Giampaolo Dedola, security expert at Kaspersky.

Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed on Kaspersky Threat Intelligence Portal.

To stay safe from the threat, Kaspersky recommends taking the following security measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails

For further details on the new exploits, see the full report on Securelist.

-Ends-

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com 

Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2020

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.