APT36 – Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions. Our analysis shows that many of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, but the exact nature and attribution associated with this APT remain under investigation.
Name: Transparent Tribe (Proofpoint), APT36 (Mandiant), ProjectM (Palo Alto), Mythic Leopard (CrowdStrike), TEMP.Lapis (FireEye), Copper Fieldstone (SecureWorks).
Location: Pakistan
Suspected attribution:
Date of initial activity: 2016
Targets: India, Indian Army
Motivation: Espionage, Surveillance
Associated tools: Crimson RAT, DarkComet, LuminosityLink, njRAT, Peppy
Attack vectors: In late 2016, COPPER FIELDSTONE launched a campaign involving custom malicious Android and BlackBerry apps with remote surveillance and data theft capabilities. A second campaign was identified in February 2020 that involved email phishing using a weaponized Excel file that ultimately downloaded Crimson RAT.
How they work: COPPER FIELDSTONE is assessed by CTU researchers with moderate confidence on behalf of Pakistan, primarily targeting Indian diplomatic and military personnel. The group has developed and deployed at least two custom remote access trojans, Peppy and Crimson, as well as using commodity and open source tools including njRAT, LuminosityLink and DarkComet.
