Skip to content

G0134 Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.425

Item Value
ID G0134
Associated Names COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM
Version 1.1
Created 02 September 2021
Last Modified 22 September 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
COPPER FIELDSTONE 6
APT36 5
Mythic Leopard 125
ProjectM 32

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.45

For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.8
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Transparent Tribe has crafted VBS-based malicious documents.42

For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.8
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains Transparent Tribe has compromised domains for use in targeted malicious campaigns.4
enterprise T1587 Develop Capabilities -
enterprise T1587.003 Digital Certificates For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.8
enterprise T1189 Drive-by Compromise Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.435
enterprise T1568 Dynamic Resolution Transparent Tribe has used dynamic DNS services to set up C2.4
enterprise T1203 Exploitation for Client Execution Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.4
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.2
enterprise T1027 Obfuscated Files or Information Transparent Tribe has dropped encoded executables on compromised hosts.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.42753

During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.8

enterprise T1566.002 Spearphishing Link Transparent Tribe has embedded links to malicious downloads in e-mails.75

During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.8
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.8
enterprise T1608.004 Drive-by Target Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.435
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Transparent Tribe has directed users to open URLs hosting malicious content.75

During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.8
enterprise T1204.002 Malicious File Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.42753

During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.8

Software

ID Name References Techniques
S0115 Crimson 48 Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Data from Local System Data from Removable Media Deobfuscate/Decode Files or Information Local Email Collection:Email Collection Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Peripheral Device Discovery Process Discovery Query Registry Replication Through Removable Media Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Video Capture Time Based Evasion:Virtualization/Sandbox Evasion
S0334 DarkComet 3 Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Modify Registry Software Packing:Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services System Information Discovery System Owner/User Discovery Video Capture
S0385 njRAT 4 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Compile After Delivery:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0644 ObliqueRAT 78 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Data from Removable Media Local Data Staging:Data Staged Data Transfer Size Limits File and Directory Discovery Steganography:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Screen Capture System Information Discovery System Owner/User Discovery Malicious Link:User Execution Video Capture System Checks:Virtualization/Sandbox Evasion
S0643 Peppy 3 Web Protocols:Application Layer Protocol Automated Exfiltration Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Screen Capture

References

  1. Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021. 

  2. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  3. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021. 

  4. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  5. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. 

  6. Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021. 

  7. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  8. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.