Pakistan-Linked Hackers Launch Cross-Platform Malware Attacks on Indian Targets

The Pakistan-nexus Transparent Tribe actor known as Transparent Tribe has been linked to a series of malware attacks targeting the Indian government, defence, and aerospace sectors. This group, also referred to as APT36, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM, is active since at least 2013. The latest wave of their activities spanned from late 2023 to April 2024, with indications that the campaign is ongoing, according to a recent report by the BlackBerry Research and Intelligence Team.

The attackers primarily carried out the campaign through spear-phishing emails and utilized malware written in Python, Golang, and Rust. This sophisticated malware targeted three companies, all critical stakeholders and clients of the Department of Defense Production (DDP) headquartered in Bengaluru, India. We currently do not know the specific names of these firms. However, some reports claim that the targets included Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited. These companies are prominent players in the aerospace and defence sectors.

Pakistan-Linked Hackers Launch Cross-Platform Malware Attacks on Indian Targets

One of the notable aspects of this campaign is its abuse of legitimate online services such as Discord, Google Drive, Slack, and Telegram. This tactic underscores how cyber attackers are increasingly leveraging popular platforms to distribute their malicious payloads and evade detection. By embedding their attacks within these well-known services, Transparent Tribe enhances the credibility of their phishing emails, making it more likely that targets will be tricked into downloading and executing the malware.

The attack methodology involved sending spear-phishing emails with malicious links or ZIP archives containing ELF binaries. They specifically chose these binaries due to the Indian government’s reliance on Linux-based operating systems. Once they achieved the targets, the attackers deployed various malware families, including different versions of GLOBSHELL, a Python-based information-gathering tool previously documented in attacks on Indian government systems.

Other malware used by Transparent Tribe includes CapraRAT, CrimsonRAT, ElizaRAT, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo. Notably, a freelance developer group based in Lahore, Pakistan, links to Stealth Mango and Tangelo. According to mobile security firm Lookout, at least one government employee from this group moonlights as a mobile app developer.

A freelance developer group based in Lahore, Pakistan, links to Stealth Mango and Tangelo.

The group used ISO images to deploy a Python-based remote access trojan (RAT) that communicates with a command-and-control (C2) server via Telegram. This technique, first noticed in October 2023, represents an evolution in their phishing tactics. Additionally, the analysis revealed the presence of a Golang-compiled “all-in-one” program capable of file exfiltration, screenshot capture, file upload and download, and command execution. This tool, a modified version of the open-source Discord-C2 project, receives instructions from Discord and delivers them through an ELF binary downloader within a ZIP archive.

Further investigation by BlackBerry revealed the use of several other tools and scripts, such as (a bash version of GLOBSHELL), (an open-source C2 framework called Sliver), (a script for gathering files from a connected USB drive), and various Windows executables like afd.exe, win_hta.exe, and win_service.exe, which are different versions of GLOBSHELL.

The persistent targeting of critical sectors vital to India’s national security by Transparent Tribe highlights the ongoing threat posed by this group. Their ability to adapt and evolve their tactics, techniques, and procedures (TTPs) over time demonstrates their sophistication and determination. As they continue to refine their methods and exploit legitimate online services, we cannot overstate the importance of robust cybersecurity measures and constant vigilance.

See Also: Pro-Hamas Hackers Using BiBi Malware Target Israeli Companies

PTA Taxes Portal

Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal

Explore NowFollow us on Google News!

Onsa Mustafa

Onsa is a Software Engineer and a tech blogger who focuses on providing the latest information regarding the innovations happening in the IT world. She likes reading, photography, travelling and exploring nature.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Get Alerts!

PhoneWorld Logo

Join the groups below to get the latest updates!

💼PTA Tax Updates
💬WhatsApp Channel