Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Pakistani Hackers Targeting Indian Students in Latest Malware Campaign

The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021.

“This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users,” Cisco Talos said in a report shared with The Hacker News.

Also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, the Transparent Tribe actor is suspected to be of Pakistani origin and is known to strike government entities and think tanks in India and Afghanistan with custom malware such as CrimsonRAT, ObliqueRAT, and CapraRAT.

But the targeting of educational institutions and students, first observed by India-based K7 Labs in May 2022, indicates a deviation from the adversary’s typical focus.

“The latest targeting of the educational sector may align with the strategic goals of espionage of the nation-state,” Cisco Talos researchers told The Hacker News. “APTs will frequently target individuals at universities and technical research organizations in order to establish long term access to siphon off data related to ongoing research projects.”

Attack chains documented by the cybersecurity firm involve delivering a maldoc to the targets either as an attachment or a link to a remote location via a spear-phishing email, ultimately leading to the deployment of CrimsonRAT.

“This APT puts in a substantial effort towards social engineering their victims into infecting themselves,” the researchers said. “Transparent Tribes’ email lures try to appear as legitimate as possible with pertinent content to convince the targets into opening the maldocs or visiting the malicious links provided.”

CrimsonRAT, also known as SEEDOOR and Scarimson, functions as the staple implant of choice for the threat actor to establish long-term access into victim networks as well as exfiltrate data of interest to a remote server.

Courtesy of its modular architecture, the malware allows the attackers to remotely control the infected machine, steal browser credentials, record keystrokes, capture screenshots, and execute arbitrary commands.

What’s more, a number of these decoy documents are said to be hosted on education-themed domains (e.g., “studentsportal[.]co”) that were registered as early as June 2021, with the infrastructure operated by a Pakistani web hosting services provider named Zain Hosting.

“The entire scope of Zain Hosting’s role in the Transparent Tribe organization is still unknown,” the researchers noted. “This is likely one of many third-parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation.”

Found this article interesting? Follow THN on Facebook, Twitter ď‚™ and LinkedIn to read more exclusive content we post.

Related News

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

German politicians and political parties have been using data about Facebook users’ political preferences to deliver microtargeted advertisements, a watchdog…
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network…
The Board of Directors Will See You Now

The Board of Directors Will See You Now

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common…