India’s technology sector is facing a new cyber threat as the hacking group known as Transparent Tribe turns its attention towards the country’s burgeoning startup ecosystem. Previously focused on government entities, the Pakistan-based group is now targeting firms in cybersecurity and intelligence, using sophisticated tactics to breach defenses.
Shift in Target: From Government to Startups
Known in the cybersecurity community as APT36, Transparent Tribe has been active since 2013. Their latest strategy involves deploying the Crimson RAT malware to infiltrate Indian startups. The group carefully crafts fake emails with malicious attachments, masquerading as legitimate documents, to deceive unsuspecting victims.
This shift was detected when researchers came across suspicious files uploaded from India. These files contained content related to startups, marking a departure from the group’s previous focus on defense and educational institutions. The hackers leverage personal information about startup founders to create credible fake documents, increasing the likelihood of successful infiltration.
Technical Execution of the Attack
According to Acronis researchers, the attack begins with emails containing ISO files, which are disguised as Excel spreadsheets. When opened, these files execute a series of hidden commands that install Crimson RAT on the victim’s computer. This malware allows the attackers to monitor and control infected systems, steal files, and record audio without detection.
The malware is delivered through a file named MeetBisht.iso, containing a shortcut file that appears to be an Excel document. However, it also includes a script that silently installs the RAT while displaying a decoy document to the victim. This process effectively bypasses security measures by using PowerShell commands to eliminate warning alerts.
Advanced Evasion Tactics
The Crimson RAT employs advanced evasion techniques to avoid detection. It artificially inflates its size with junk data, complicating signature-based detection. The actual malicious code is much smaller, and the malware uses randomized function names to hinder analysis. The RAT communicates with command-and-control servers via custom TCP protocols on non-standard ports, further obscuring its activities.
To mitigate these threats, organizations are advised to implement robust email filtering to block suspicious attachments, conduct regular security training for employees, and deploy endpoint detection solutions to identify unusual activities. Monitoring network traffic for connections to non-standard ports can also help detect and neutralize such threats.
Staying informed through updated threat intelligence feeds can enhance protection against known attack vectors used by Transparent Tribe. As the threat landscape evolves, proactive measures are crucial to safeguarding India’s tech startups from these sophisticated cyber threats.
