Skip to content

G0134 Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.123

Item Value
ID G0134
Associated Names COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM
Version 1.0
Created 02 September 2021
Last Modified 25 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
COPPER FIELDSTONE 4
APT36 3
Mythic Leopard 523
ProjectM 62

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.13
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Transparent Tribe has crafted VBS-based malicious documents.12
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains Transparent Tribe has compromised domains for use in targeted malicious campaigns.1
enterprise T1189 Drive-by Compromise Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.163
enterprise T1568 Dynamic Resolution Transparent Tribe has used dynamic DNS services to set up C2.1
enterprise T1203 Exploitation for Client Execution Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.2
enterprise T1027 Obfuscated Files or Information Transparent Tribe has dropped encoded executables on compromised hosts.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.12736
enterprise T1566.002 Spearphishing Link Transparent Tribe has embedded links to malicious downloads in e-mails.73
enterprise T1608 Stage Capabilities -
enterprise T1608.004 Drive-by Target Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.163
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Transparent Tribe has directed users to open URLs hosting malicious content.73
enterprise T1204.002 Malicious File Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.12736

Software

ID Name References Techniques
S0115 Crimson - Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Data from Removable Media Deobfuscate/Decode Files or Information Local Email Collection:Email Collection File and Directory Discovery File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Peripheral Device Discovery Process Discovery Query Registry Replication Through Removable Media Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Video Capture Time Based Evasion:Virtualization/Sandbox Evasion
S0334 DarkComet - Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Modify Registry Software Packing:Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services System Information Discovery System Owner/User Discovery Video Capture
S0385 njRAT - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal on Host Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0644 ObliqueRAT - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Data from Removable Media Local Data Staging:Data Staged Data Transfer Size Limits File and Directory Discovery Steganography:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Screen Capture System Information Discovery System Owner/User Discovery Malicious Link:User Execution Video Capture System Checks:Virtualization/Sandbox Evasion
S0643 Peppy - Web Protocols:Application Layer Protocol Automated Exfiltration Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Screen Capture

References

Back to top