APT36's Transparent Tribe Campaign

Industry: Government, Military | Level: Tactical | Source: Cisco Talos

Analysis from Cisco Talos shares the latest threat campaign named Transparent Tribe from Pakistan-based threat group, APT36 (aka Mythic Leopard). The campaign has been active since June 2021 targeting the Indian government and military entities with the goal to establish long term access for cyber espionage. Various delivery methods have been used for initial access including masquerading as a fraudulent installer, distributing archive files, and malicious documents. The distribution of malicious documents was the group's main method of infection in June 2021 and July 2021, often utilizing Covid-19 themes. Payloads associated with the attack include CrimsonRAT, a python-based stager for reconnaissance and an additional .NET-based implant. A notable fraudulent installer used by APT36 includes Kavach, an effective lure, as the tool is used by government personnel to download and execute the malicious msi installer.

• Anvilogic Use Cases:
• Download exe|msi|bat Proxy
• MSIExec Install MSI File
• Compressed File Execution
• Python Execution
• Common Reconnaissance Commands