Pakistani hackers targeting Indian educational institutions to steal valuables with Transparent Tribe
An advanced persistent threat (APT) group called Transparent Tribe has been observed to perform a new kind of phishing campaign targeting the students at educational institutes in India since December 2021. In an advanced persistent threat attack, an intruder or a group of threat actors establishes a prolonged cyber attack by gaining access to the network and remaining undetected by the authorities.
According to a source APT attackers are conducting new campaigns to expand their network area. The APT attackers such as APT36, Operation C-Major, PROJECTM, Mythic Leopard, and the Transparent Tribe actor are all suspected to be associated with Pakistani hackers using to gain access to India-based government entities.
The top Indian cyber security researchers first observed this phenomenon of attacks on Indian educational sectors in May 2022 which they stated was a deviation from their usual target. According to a source, Cisco Talos’s security researchers said, ” The latest targeting of the educational sector may align with the strategic goals of espionage of the nation-state. APTs will frequently target individuals at universities and technology research organizations in order to establish long-term access to siphon off data related to ongoing research projects.”
The cybersecurity researchers said that the attacker would generally deliver a maldoc, a malicious office document, to the targets either as an attached document or via a link coming from a phishing email. Upon clicking the mail or downloading the maldoc into the system it deploys CrimsonRAT malware. Security researchers say that this malware will then infect the device on which it was downloaded or clicked as it comes from apparently legitimate files or emails so that the victim is tricked into clicking one.
Researchers said, “Transparent Tribes’ email lures try to appear as legitimate as possible with pertinent content to convince the targets into opening the maldocs or visiting the malicious links provided.”
CrimsonRAT establishes long-term access with the victim’s network giving it enough time to exfiltrate all data to a remote server. In this way, threat actors get into the institution’s compromised devices to steal browsing credentials, record keystrokes, screenshot important information, and execute arbitrary commands.
Reportedly, in June 2021, a Pakistani web hosting service provider named Zain Hosting registered decoy documents hosted as education-themed domains. However, security researchers say, “The entire scope of Zain Hosting’s role in the Transparent Tribe organization is still unknown. This is likely one of many third-parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation.”