Cybersecurity researchers have identified a new wave of attacks by the Pakistan-linked group Transparent Tribe, targeting the Indian government, defense, and aerospace sectors using sophisticated cross-platform malware. This activity, observed from late 2023 to April 2024, showcases the group’s use of malware written in Python, Golang, and Rust. The campaign primarily relies on spear-phishing techniques, exploiting popular online services such as Discord, Google Drive, Slack, and Telegram to deliver malicious payloads.
The targets included key stakeholders of the Department of Defense Production (DDP) in Bengaluru, likely including major firms like Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited. Transparent Tribe, also known as APT36, has a history of cyber espionage against Indian government and military entities, constantly evolving its methods and tools to evade detection.
Their attack chains often use spear-phishing emails with malicious links or ZIP archives, focusing on distributing ELF binaries due to the prevalent use of Linux-based operating systems in Indian government agencies. Notable malware families employed include GLOBSHELL, CapraRAT, and PYSHELLFOX, with the latest attacks deploying various versions of GLOBSHELL for information gathering and exfiltration. The group has also experimented with new intrusion methods, including using ISO images to deploy Python-based remote access trojans controlled via Telegram.
Further analysis revealed a Golang-compiled tool capable of file exfiltration, screenshot capture, and command execution, using a modified version of the open-source project Discord-C2. This tool was delivered through ELF binary downloaders within ZIP archives, highlighting the group’s persistent targeting of sectors crucial to India’s national security. Transparent Tribe’s continued use of a core set of evolving tactics, techniques, and procedures (TTPs) underscores the ongoing threat they pose.
Reference:
