What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-09-19 19:20:01 | Capratube - Transparent Tribe \\'s Caprarat imite YouTube à détourner les téléphones Android CapraTube - Transparent Tribe\\'s CapraRAT mimics YouTube to hijack Android phones (lien direct) |
Capratube - Transparent Tribe \'s Caprarat imite YouTube pour détourner les téléphones Android par Sentinelone
-
mise à jour malveillant
CapraTube - Transparent Tribe\'s CapraRAT mimics YouTube to hijack Android phones by SentinelOne - Malware Update |
APT 36 | ★★ | |
 |
2023-09-19 17:06:25 | Hackers utilisant de fausses applications YouTube pour infecter les appareils Android Hackers Using Fake YouTube Apps To Infect Android Devices (lien direct) |
Le groupe de piratage APT36, également connu sous le nom de \\ 'Tribe Transparent, a été découvert à l'aide d'applications Android malveillantes qui imitent YouTube pour infecter leurs cibles \' avec le Troie (rat) d'accès à distance mobile appelé \\ appelé \'Caprarat \'. Pour les personnes inconscientes, l'APT36 (ou la tribu transparente) est un groupe de piratage présumé lié au Pakistan principalement connu pour avoir utilisé des applications Android malveillantes pour attaquer la défense indienne et les agences gouvernementales, les organisations impliquées dans la région du Cachemire, ainsi que les militants des droits de l'homme travaillant travailsur des questions liées au Pakistan. Sentinelabs, une entreprise de cybersécurité, a pu identifier trois packages d'applications Android (APK) liés à la Caprarat de la tribu transparente, qui a imité l'apparence de YouTube. & # 8220; Caprarat est un outil très invasif qui donne à l'attaquant un contrôle sur une grande partie des données sur les appareils Android qu'il infecte, & # 8221;Le chercheur de sécurité Sentinellabs Alex Delamotte a écrit dans une analyse lundi. Selon les chercheurs, les APK malveillants ne sont pas distribués via Google Play Store d'Android, ce qui signifie que les victimes sont probablement socialement conçues pour télécharger et installer l'application à partir d'une source tierce. L'analyse des trois APK a révélé qu'elles contenaient le Caprarat Trojan et ont été téléchargées sur Virustotal en avril, juillet et août 2023. Deux des Caprarat APK ont été nommés \\ 'YouTube \', et l'un a été nommé \'Piya Sharma \', associée à un canal potentiellement utilisé pour les techniques d'ingénierie sociale basées sur la romance pour convaincre les cibles d'installer les applications. La liste des applications est la suivante: base.media.service moves.media.tubes videos.watchs.share Pendant l'installation, les applications demandent un certain nombre d'autorisations à risque, dont certaines pourraient initialement sembler inoffensives pour la victime pour une application de streaming médiatique comme YouTube et la traiter sans soupçon. L'interface des applications malveillantes tente d'imiter l'application YouTube réelle de Google, mais ressemble plus à un navigateur Web qu'à une application en raison de l'utilisation de WebView à partir de l'application Trojanisée pour charger le service.Ils manquaient également de certaines fonctionnalités et fonctions disponibles dans l'application Android YouTube native légitime. Une fois que Caprarat est installé sur le dispositif de victime, il peut effectuer diverses actions telles que l'enregistrement avec le microphone, les caméras avant et arrière, la collecte de SMS et les contenus de messages multimédias et les journaux d'appels, d'envoi de messages SMS, de blocage des SMS entrants, initier les appels téléphoniques, prendre des captures d'écran, des paramètres système primordiaux tels que GPS & AMP;Réseau et modification des fichiers sur le système de fichiers du téléphone \\ Selon Sentinelabs, les variantes de caprarat récentes trouvées au cours de la campagne actuelle indiquent un développement continu des logiciels malveillants par la tribu transparente. En ce qui concerne l'attribution, les adresses IP des serveurs de commande et de contrôle (C2) avec lesquels Caprarat communique sont codées en dur dans le fichier de configuration de l'application et ont été liés aux activités passées du groupe de piratage. Cependant, certaines adresses IP étaient liées à d'autres campagnes de rats, bien que la relation exacte entre ces acteurs de menace et la tribu transparente reste claire. | Malware Tool Threat | APT 36 | ★★ |
 |
2023-09-19 14:30:50 | Caprarat imite YouTube pour détourner les appareils Android CapraRAT Impersonates YouTube to Hijack Android Devices (lien direct) |
Le groupe de menaces pakistanais Transparent Tribe cible le personnel militaire et diplomatique en Inde et au Pakistan avec des leurres sur le thème de la romance dans la dernière campagne de logiciels espions.
Pakistani threat group Transparent Tribe targets military and diplomatic personnel in India and Pakistan with romance-themed lures in the latest spyware campaign. |
Threat | APT 36 | ★★ |
 |
2023-09-19 12:26:00 | Transparent Tribe utilise de fausses applications Android YouTube pour répandre Caprarat malware Transparent Tribe Uses Fake YouTube Android Apps to Spread CapraRAT Malware (lien direct) |
L'acteur de menace présumé lié au Pakistan, connu sous le nom de Tribe Transparent, utilise des applications Android malveillantes imitant YouTube pour distribuer le Troie à distance à distance caprarat (rat), démontrant l'évolution continue de l'activité.
"Caprarat est un outil très invasif qui donne à l'attaquant un contrôle sur une grande partie des données sur les appareils Android qu'il infecte", Sentinelone Security
The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security |
Malware Tool Threat | APT 36 | ★ |
 |
2023-09-19 12:16:54 | PakistanI APT utilise un rat imitant YouTube à espionner les appareils Android Pakistani APT Uses YouTube-Mimicking RAT to Spy on Android Devices (lien direct) |
> Nouvelles versions de la tribu transparente entièrement liée au Pakistan.
>New versions of Pakistan-linked APT Transparent Tribe\'s CapraRAT Android trojan mimic the appearance of YouTube. |
APT 36 | ★★ | |
 |
2023-09-18 18:06:13 | Les pirates d'État APT36 infectent les appareils Android à l'aide de clones d'application YouTube APT36 state hackers infect Android devices using YouTube app clones (lien direct) |
Le groupe de piratage APT36, alias \\ 'Tribe transparent, \' a été observé en utilisant au moins trois applications Android qui imitent YouTube pour infecter les appareils avec leur Troie (rat), \\ 'Caprarat. \' [...]
The APT36 hacking group, aka \'Transparent Tribe,\' has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), \'CapraRAT.\' [...] |
APT 36 | ★ | |
 |
2023-09-18 13:00:03 | Capratube |Transparent Tribe \\'s Caprarat imite YouTube pour détourner les téléphones Android CapraTube | Transparent Tribe\\'s CapraRAT Mimics YouTube to Hijack Android Phones (lien direct) |
L'acteur de menace aligné par le Pakistan arme les fausses applications YouTube sur la plate-forme Android pour offrir un logiciel spymétrique à distance à l'accès à distance mobile.
Pakistan-aligned threat actor weaponizes fake YouTube apps on the Android platform to deliver mobile remote access trojan spyware. |
Threat | APT 36 | ★★★ |
 |
2023-07-07 02:33:29 | Rapport de tendance des menaces sur les groupes APT & # 8211;Mai 2023 Threat Trend Report on APT Groups – May 2023 (lien direct) |
Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609
The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 |
Threat Prediction | APT 41 APT 38 APT 37 APT 37 APT 29 APT 29 APT 28 APT 28 APT 36 APT 36 Guam Guam APT-C-17 APT-C-17 GoldenJackal GoldenJackal APT-C-36 | ★★★ |
|
2023-04-19 16:58:00 | Les pirates pakistanais utilisent le poseidon de logiciels malveillants Linux pour cibler les agences gouvernementales indiennes Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies (lien direct) |
L'acteur avancé de menace persistante (APT) basée au Pakistan connu sous le nom de Tribe Transparent a utilisé un outil d'authentification à deux facteurs (2FA) utilisé par les agences gouvernementales indiennes comme ruse pour livrer une nouvelle porte dérobée Linux appelée Poséidon.
"Poséidon est un logiciel malveillant en charge utile de deuxième étape associé à la tribu transparente", a déclaré le chercheur en sécurité UptyCS Tejaswini Sandapolla dans un rapport technique publié cette semaine.
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. |
Malware Tool Threat | APT 36 | ★★ |
|
2023-04-17 11:12:52 | Sentinélone examine la tribu transparente (APT36): le groupe de cyberspionage du Pakistan élargit les attaques contre le secteur de l'éducation indienne SentinelOne untersucht Transparent Tribe (APT36): Cyberspionage-Gruppe aus Pakistan weitet Angriffe auf indischen Bildungssektor aus (lien direct) |
Sentinelabs, le département de recherche de Sentineone, a examiné un groupe B & OUML; Documents du bureau Staight qui diffusent "Crimson Rat", un logiciel malveillant utilisé par le groupe APT36.APT36, également appelé "Transparent Tribe", a son siège social Mutma & Szlig au Pakistan et est actif au moins depuis 2013.Le groupe est très persistant dans leur approche; CKig
-
malware
/ /
affiche
SentinelLabs, die Forschungsabteilung von SentinelOne, hat eine kürzlich bekannt gewordene Gruppe bösartiger Office-Dokumente untersucht, die „Crimson RAT“ verbreiten, eine von der APT36-Gruppe verwendete Malware. APT36, auch genannt „Transparent Tribe“, hat seinen Sitz mutmaßlich in Pakistan und ist mindestens seit 2013 aktiv. Die Gruppe ist in ihrem Vorgehen sehr hartnäckig - Malware / affiche |
APT 36 APT 36 | ★★ | |
 |
2023-04-13 16:00:00 | Les pirates alignés par le Pakistan perturbent le secteur de l'éducation indienne Pakistan-Aligned Hackers Disrupt Indian Education Sector (lien direct) |
APT36 Institutions ciblées avec des documents de bureau malveillants distribuant un rat cramoisi
APT36 targeted institutions with malicious Office documents distributing Crimson RAT |
APT 36 | ★★ | |
|
2023-04-13 15:49:00 | Pirates de tribu transparente basées au Pakistan ciblant les établissements d'enseignement indiens Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions (lien direct) |
L'acteur Transparent Tribe Threat a été lié à un ensemble de documents de Microsoft Office armées dans des attaques ciblant le secteur de l'éducation indienne en utilisant une pièce de malware continuellement entretenue appelée Crimson Rat.
Alors que le groupe de menaces suspecté du Pakistan est connu pour cibler les entités militaires et gouvernementales du pays, les activités se sont depuis développées pour inclure l'éducation
The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in attacks targeting the Indian education sector using a continuously maintained piece of malware called Crimson RAT. While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education |
Malware Threat | APT 36 | ★★ |
|
2023-04-13 09:55:44 | Tribu transparente (APT36) |L'acteur de menace aligné par le Pakistan élargit l'intérêt dans le secteur de l'éducation indienne Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (lien direct) |
Sentinellabs a suivi un groupe de documents malveillants qui mettent en scène les logiciels malveillants Crimson Rat distribués par APT36 (Tribe transparente).
SentinelLabs has been tracking a cluster of malicious documents that stage the Crimson RAT malware distributed by APT36 (Transparent Tribe). |
Malware Threat | APT 36 APT 36 | ★★★ |
 |
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
|
2023-03-08 10:30:00 | Officials Targeted with Romance Scams and Android Trojans (lien direct) | Activity linked to Pakistani state group APT36 | General Information | APT 36 | ★★★ |
|
2023-03-07 17:09:00 | Transparent Tribe Hackers Distribute CapraRAT via Trojanized Messaging Apps (lien direct) | A suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe has been linked to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT. "Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET said in a report | Threat | APT 36 | ★★ |
|
2023-03-07 13:55:18 | ESET Research découvre une campagne d\'espionnage ciblant des fonctionnaires en Inde et au Pakistan (lien direct) | ● ESET Research a découvert une campagne du groupe de pirates Transparent Tribe qui cible principalement des citoyens indiens et pakistanais ayant probablement un passé militaire ou politique. ● Transparent Tribe a diffusé la porte dérobée Android CapraRAT via des applications de messagerie et d'appel sécurisées sous le nom de MeetsApp et MeetUp. Elle est capable d'exfiltrer toute information sensible des appareils des victimes. ● Ces applications pouvaient être téléchargées à partir de sites web se faisant passer pour des sites de téléchargement officiels. Nous pensons qu'une arnaque à la romance a été utilisée pour attirer les cibles sur ces sites. ● Ces applications mal sécurisées ont exposé des informations personnellement identifiables, ce qui nous a permis de géolocaliser 150 victimes. - Malwares | APT 36 | ★★ | |
 |
2023-03-07 13:50:26 | (Déjà vu) Transparent Tribe APT weaponising Android messaging apps to target officials in India and Pakistan with romance scams (lien direct) | ESET researchers have analysed a cyberespionage campaign run by the Transparent Tribe APT group distributing CapraRAT backdoors through trojanised and supposedly “secure” Android messaging apps that exfiltrate sensitive information of mostly Indian and Pakistani Android users - presumably with a military or political orientation. The victims were probably targeted through a honey-trap romance scam, in […] | APT 36 | ★ | |
 |
2023-03-07 10:30:37 | Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials (lien direct) | >ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information | APT 36 | ★★ | |
|
2023-02-21 11:25:00 | Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies (lien direct) | A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT. Cybersecurity firm ThreatMon attributed the activity to a threat actor tracked as SideCopy. SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called Transparent Tribe. It is so named for mimicking the infection chains associated | Threat | APT 36 | ★★★ |
|
2022-11-17 00:00:00 | Mustang Panda, APT29, APT36, Phobos, Cobalt Strike : Les acteurs émergents de la cybermenace se structurent et les rançongiciels évoluent (lien direct) | Mustang Panda, APT29, APT36, Phobos, Cobalt Strike : Les acteurs émergents de la cybermenace se structurent et les rançongiciels évoluent Le Trellix Advanced Research Center dévoile son premier rapport faisant le point sur l'activité des menaces cyber - Malwares | APT 29 APT 36 | ||
|
2022-11-04 19:13:00 | Researchers Detail New Malware Campaign Targeting Indian Government Employees (lien direct) | The Transparent Tribe threat actor has been linked to a new campaign aimed at Indian government organizations with trojanized versions of a two-factor authentication solution called Kavach. "This group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications," Zscaler ThreatLabz researcher Sudeep Singh said | Malware Threat | APT 36 | |
 |
2022-09-06 08:00:00 | Researcher Spotlight: How Asheer Malhotra looks for \'instant gratification\' in threat hunting (lien direct) | The India native has transitioned from a reverse-engineer hobbyist to a public speaker in just a few years By Jon Munshaw. Ninety percent of Asheer Malhotra's work will never see the light of day. But it's that 10 percent that keeps him motivated to keep looking for something new. The Talos Outreach researcher spends most of his days looking into potential new threats. Many times, that leads to dead ends of threats that have already been discovered and blocked or don't have any additional threads to pull on. But eventually, the “lightbulb goes off,” as he puts it, which indicates something is a new threat the wider public needs to know about. During his time at Talos, Malhotra has spent much of his time looking into cyber attacks and state-sponsored threat actors in Asia, like the Transparent Tribe group he's written about several times. “At some point, I say 'Hey, I don't think I've seen this before.' I start analyzing public disclosures, and slowly start gaining confidence and being able to craft a narrative around the motivations and tactics around a specific threat actor or malware campaign,” he said. In the case of Transparent Tribe, Malhotra's tracked their growth as a major player in the threat landscape in Asia, as they've added several remote access trojans to their arsenal, targeted high-profile government-adjacent entities in India and expanded their scope across the region. When he's not threat hunting, Malhotra also speaks to Cisco customers about the current state of cybersecurity in briefings and delivers presentations at conferences around the world (mainly virtually during the COVID-19 pandemic).  “I always try to find the latest and new stuff to talk about. … I've been honing my skills and trying to speak more confidently publicly, but the confidence is backed up with the right kind of knowledge and the threat intelligence, that's what helps me succeed,” he said. Malhotra is a native of India and spent most of his life there before coming to the U.S. for his master's degree at Mississippi State University. Mississippi was a far cry from everything else he had known up until that point, but he quickly adjusted. “That was the 'Deep South,'” he said. “So there was a culture shock, but the southern hospitality is such a real thing, and it felt very normal there.” Growing up, Malhotra always knew he wanted to work with computers, starting out as a teenager reverse-engineering exploits he'd see others talk about on the internet or just poking at smaller applications. His additional interest in politics and national security made it natural for him to combine the two and focus his research on state-sponsored actors. He enjoys continuing his research in the Indian subcontinent and sees many parallels between the state of security in India and the U.S. “Th |
Ransomware Malware Threat Guideline | APT 36 | |
|
2022-08-10 09:09:07 | Meta Take Action Against Two Cyber Espionage Operations in South Africa (lien direct) | Action has been taken against two cyber espionage operations in South Africa, according to Meta. Action has been taken against Bitter APT and APT36. The announcement was made by the company last Thursday in its Quarterly Adversarial Threat Report, Second Quarter 2022. In the report, Meta’s Global Threat Intelligence Lead, Ben Ninmo, and Director of […] | Threat Guideline | APT 36 | |
|
2022-08-05 10:40:33 | Facebook finds new Android malware used by APT hackers (lien direct) | Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as 'Bitter APT' and APT36 (aka 'Transparent Tribe') using new Android malware. [...] | Malware Threat | APT 36 | |
|
2022-07-14 01:15:16 | Pakistani Hackers Targeting Indian Students in Latest Malware Campaign (lien direct) | The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021. "This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users," Cisco Talos said in a report shared with The Hacker News. | Malware Threat | APT 36 | |
|
2022-07-13 16:08:15 | Transparent Tribe begins targeting education sector in latest campaign (lien direct) | Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group.This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary's typical focus on government entities.The attacks result in... [[ This is only the beginning! Please visit the blog for the complete entry ]] | APT 36 | ||
 |
2022-03-29 12:00:00 | Transparent Tribe APT returns to strike India\'s government and military (lien direct) | The development of custom malware indicates the group is trying to "compromise even more victims." | Malware | APT 36 | |
|
2022-03-29 05:42:02 | New Hacking Campaign by Transparent Tribe Hackers Targeting Indian Officials (lien direct) | A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021. "Transparent Tribe has been a highly active APT group in the Indian subcontinent," Cisco Talos researchers said in an analysis shared with The Hacker News. "Their primary targets have | Threat | APT 36 | |
|
2022-03-29 05:02:08 | Transparent Tribe campaign uses new bespoke malware to target Indian government officials (lien direct) | By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay. Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware | APT 36 | |
|
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-02-09 05:06:14 | What\'s with the shared VBA code between Transparent Tribe and other threat actors? (lien direct) | By Vanja Svajcer and Vitor Ventura. Recently, we've been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans (RATs). After a hunting session in our malware sample repositories and VirusTotal while looking into... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware Threat | APT 36 | |
|
2022-02-08 16:00:00 | Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis |
Ransomware Malware Threat Conference | APT 35 APT 35 APT 29 APT 29 APT 36 | ★★ |
 |
2022-01-24 00:00:00 | Investigating APT36 or Earth Karkaddan\'s Attack Chain and Malware Arsenal (lien direct) | We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group's favored Windows malware, Crimson RAT.
|
Malware Threat | APT 36 | |
|
2021-09-23 05:01:25 | Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs (lien direct) | By Asheer Malhotra, Vanja Svajcer and Justin Thattil.
Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).This campaign distributes malicious documents and archives to deliver the Netwire...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 | ||
|
2021-07-16 07:14:51 | Talos Takes Ep: #61: SideCopy sounds so familiar, but I just can\'t put my finger on it... (lien direct) | By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Asheer Malhotra of Talos Outreach has spent the past few months tracking APTs all along the same line. APT 36, aka...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 | ★★ | |
|
2021-07-13 15:00:00 | Anomali Cyber Watch: Global Phishing Campaign, Magecart Data Theft, New APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data Theft, Malicious Apps, Middle East, Phishing, Targeted Campaigns, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Global Phishing Campaign Targets Energy Sector and Its Suppliers
(published: July 8, 2021)
Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE).
Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055
Tags: FormBook, AgentTesla, Phishing, Europe, Middle East
SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military
(published: July 7, 2021)
SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | |
Malware Threat | APT 36 | |
|
2021-07-07 05:01:04 | InSideCopy: How this APT continues to evolve its arsenal (lien direct) | By Asheer Malhotra and Justin Thattil.
Cisco Talos is tracking an increase in SideCopy's activities targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).SideCopy is an APT group that mimics the Sidewinder APT's infection...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 APT-C-17 | ||
|
2021-05-28 07:30:24 | Talos Takes Ep. #55: How Transparent Tribe could evolve in the future (lien direct) | By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
We recently covered how the Transparent Tribe APT added another RAT to its arsenal. Where might they go from here? In...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 | ||
 |
2021-05-23 12:33:32 | Security Affairs newsletter Round 315 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia MSBuild tool used to deliver RATs filelessly Pakistan-linked Transparent Tribe APT expands its arsenal Two flaws could allow bypassing AMD […] | Ransomware Tool | APT 36 | |
|
2021-05-18 19:05:00 | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
Ransomware Malware Vulnerability Threat Guideline | APT 36 | |
|
2021-05-16 08:39:52 | Pakistan-linked Transparent Tribe APT expands its arsenal (lien direct) | Alleged Pakistan-Linked cyber espionage group, tracked as Transparent Tribe, targets Indian entities with a new Windows malware. Researchers from Cisco Talos warn that the Pakistan-linked APT group Transparent Tribe expanded its Windows malware arsenal. The group used the new malware dubbed ObliqueRAT in cyberespionage attacks against Indian targets. The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic […] | Malware | APT 36 | |
|
2021-05-14 05:04:00 | Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal (lien direct) | Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research.
The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking |
Malware | APT 36 | |
|
2021-05-13 05:09:57 | Transparent Tribe APT expands its Windows malware arsenal (lien direct) | By Asheer Malhotra, Justin Thattil and Kendall McKay.
Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos' previous research has mainly linked this...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | APT 36 | |
 |
2021-04-16 15:00:29 | Transparent Tribe APT Infrastructure Mapping (lien direct) | Introduction Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan, the latter of which lean towards the assumed attribution of Pakistani intelligence. Tools used [...] | Threat | APT 36 | |
|
2021-03-02 05:49:51 | ObliqueRAT returns with new campaign using hijacked websites (lien direct) | By Asheer Malhotra.
Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT.
This campaign targets organizations in South Asia.ObliqueRAT has been linked to the Transparent Tribe APT group in the past.This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites.
What's new?Cisco Talos recently discovered another new campaign distributing the...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | APT 36 | |
|
2020-10-15 14:00:00 | COVID-19 Attacks – Defending Your Organization (lien direct) | Overview The Coronavirus 2019 (COVID-19) global pandemic has caused widespread fear of the unknown and deadly aspects of this novel virus, generated growth in certain industries to combat it, and created a shift toward remote work environments to slow the spread of the disease. Defending Your Organization Against COVID-19 Cyber Attacks. In this webinar, AJ, and I describe COVID-19 attacks in January through March, the groups behind them, and key MITRE ATT&CK techniques being employed. We then discuss ways an organization can keep themselves safe from these types of attacks. Pandemic Background COVID-19 is a pandemic viral respiratory disease, originally identified in Wuhan, China in December 2019. At the time of the webinar, it had infected around 1.5 million people worldwide. Within the first month, cyber actors capitalized on the opportunity. COVID Attack Timeline December 2019 - January 2020 At the end of December 2019, China alerted the World Health Organization (WHO) that there was an outbreak in Wuhan, China. Within a month, the first cyber events were being recorded. Around January 31, 2020, malicious emails (T1566.001) using the Emotet malware (S0367) and a phishing campaign (T1566.001) using LokiBot (S0447) were tied to TA542 alias Mummy Spider. Emotet, in particular, was prolific. It originally started as a banking Trojan, then evolved into a delivery mechanism for an initial payload that infected systems to download additional malware families such as TrickBot (S0266). Around this same time, there was a marked increase in the registration of domain names with COVID-19 naming conventions, a key indicator of an uptick in phishing campaigns. February 2020 In early February, the progression of adversaries using uncertainty about and thirst for information regarding the COVID-19 pandemic became apparent. New malware variants and malware families were reported employing coronavirus related content, including NanoCore RAT (S0336) and Parallax RAT, a newer remote-access Trojan, to infect unsuspecting users. Throughout February, cybercrime actors launched several phishing campaigns (T1566.001) to deliver information stealer AZORult (S0344). With worldwide government health agencies giving advice on cyber and physical health, threat actors aligned with nation-states such as Russia (Hades APT), China (Mustang Panda), and North Korea (Kimsuky - G0094) used this messaging to lure individuals to download and/or execute malicious files disguised as legitimate documents. These state-sponsored groups used convincing lures to impersonate organizations such as the United Nations (UN), the World Health Organization (WHO), and various public health government agencies to achieve short- and long-term national objectives. March 2020 In March, we observed a flurry of nation-state and cybercrime attributed malicious activity seeking to exploit the COVID-19 pandemic. Cybercrime actors distributed a range of malware families, including NanoCore (S0336), | Ransomware Spam Malware Threat | APT 36 | ★★★ |
|
2020-08-26 18:30:00 | \'Transparent Tribe\' APT Group Deploys New Android Spyware for Cyber Espionage (lien direct) | The group, which has been around since at least 2013, has impacted thousands of organizations, mostly in India. | APT 36 | ||
 |
2020-08-26 10:00:44 | Transparent Tribe: Evolution analysis,part 2 (lien direct) | In the second article, we describe a new Android implant used by Transparent Tribe for spying on mobile devices and present new evidence confirms a link between ObliqueRAT and Transparent Tribe. | APT 36 | ||
|
2020-08-24 06:51:36 | Transparent Tribe APT hit 1000+ victims in 27 countries in the last 12 months (lien direct) | The Transparent Tribe cyber-espionage group continues to improve its arsenal while targets Military and Government entities. The Transparent Tribe APT group is carrying out an ongoing cyberespionage campaign aimed at military and diplomatic targets worldwide. The group upgraded its Crimson RAT by adding a management console and implementing a USB worming capability that allows it […] | APT 36 |
To see everything:
Our RSS (filtrered)
