SEQRITE, the enterprise arm of Quick Heal Technologies, has detected a new wave of cyberattacks orchestrated by the notorious APT Transparent Tribe (APT36) against the Indian Army and the education sector. These targeted campaigns highlight the urgency for organizations to remain vigilant and implement robust cybersecurity measures.
The APT Team at SEQRITE has been closely monitoring the activities of Transparent Tribe, a persistent threat group that originated in 2013 in Pakistan, and has discovered their latest attack campaign targeting India. The group is using a malicious file titled “Revision of Officers posting policy” to lure the Indian Army into compromising their systems. The file is disguised as a legitimate document, but it contains embedded malware designed to exploit vulnerabilities.
Furthermore, the APT Team has also observed an alarming increase in the targeting of the education sector by the same threat actor. Since May 2022, Transparent Tribe has been focusing on infiltrating prestigious educational institutions such as the Indian Institutes of Technology (IITs), National Institutes of Technology (NITs), and business schools. These attacks have intensified in the first quarter of 2023, reaching their peak in February.
The sub-division of Transparent Tribe, known as SideCopy, has also been identified targeting an Indian Defense Organization. Their modus operandi involves testing a domain hosting malicious file, potentially to serve as a phishing page. This sophisticated tactic aims to deceive unsuspecting victims into divulging sensitive information.
As per the key findings, APT36 has cleverly utilized malicious PPAM files masquerading as “Officers posting policy revised final.” These files exploit macro-enabled PowerPoint add-ons (PPAM) to conceal archive files as OLE objects, effectively camouflaging the presence of malware. The infection chain employed by APT36 culminates in the deployment of a Crimson RAT payload, a .NET-based tool capable of executing a wide array of commands and establishing long-term persistence within compromised systems. Notably, Crimson RAT and Capra RAT are commonly employed malicious payloads by Transparent Tribe, the group behind APT36, who constantly refine and upgrade these tools to maximize their effectiveness.
SEQRITE also recommends some preventive measures such as exercising caution while opening email attachments or downloading files, especially if they are unsolicited or from untrusted sources. Regularly update security software, operating systems, and applications to protect against known vulnerabilities. It is also important to implement robust email filtering and web security solutions to detect and block malicious content. Educating employees and individuals about the risks associated with social engineering techniques and the importance of maintaining a strong security posture is also paramount in maintaining a robust cybersecurity infrastructure.
It is also advised to deploy multi-factor authentication (MFA) to add an additional layer of security to user accounts. Conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively. In addition to this, establish incident response plans and procedures to minimize the impact of potential cyberattacks.
