| Names | APT36 (Mandiant), Transparent Tribe (Proofpoint), ProjectM (Palo Alto), Mythic Leopard (CrowdStrike), TEMP.Lapis (FireEye), Copper Fieldstone (SecureWorks). |
| Location | Pakistan |
| Date of initial activity | 2012 |
| Suspected attribution | State-sponsored |
| Motivation | Espionage, Surveillance |
| Associated tools | Crimson RAT, DarkComet, LuminosityLink, njRAT, Peppy |
Overview
Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.
Our analysis shows that many of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, but the exact nature and attribution associated with this APT remain under investigation.
Targets
India, Indian Army
Attack vectors
In late 2016, COPPER FIELDSTONE launched a campaign involving custom malicious Android and BlackBerry apps with remote surveillance and data theft capabilities. A second campaign was identified in February 2020 that involved email phishing using a weaponized Excel file that ultimately downloaded Crimson RAT.
How they work
COPPER FIELDSTONE is assessed by CTU researchers with moderate confidence on behalf of Pakistan, primarily targeting Indian diplomatic and military personnel. The group has developed and deployed at least two custom remote access trojans, Peppy and Crimson, as well as using commodity and open-source tools including njRAT, LuminosityLink and DarkComet.
