# Analysis of APT-C-56 (Transparent Tribe) camouflage resume attack campaign

**mp.weixin.qq.com/s/xU7b3m-L2OlAi2bU7nBj0A**

Included in the collection

#APT
87
piece

#南亚地区
26
piece

#APT-C-56 Transparent Tribe
7
piece

**APT-C-56**
**Transparent Tribe**
APT-C-56 (Transparent Tribe), also known as Transparent Tribe, APT36, ProjectM, C-Major,
is an APT organization with a South Asian background, which has long targeted attacks on
the politics and military of neighboring countries and regions (especially India), and has
developed its own exclusive Trojan horse CrimsonRAT, and has also been found to widely
spread USB worms.
It has been targeting India's government, public sector, and various industries including but
not limited to healthcare, power, finance, manufacturing, etc. to maintain a high level of
information theft activities.
Earlier this year, Transparent Tribe and SideCopy were found to be using the same
infrastructure and using the same themes to target similar targets, using smuggling
intelligence-related decoys to camouflage Indian Defense Ministry emails to launch frequent
attacks against India. We also found an attack campaign targeting the foreign trade industry
using backlinks.
Recently, the 360 Advanced Threat Institute detected a sample of suspected Transparent
Tribe's attack activity. We speculate that the previous operation went undetected, and the
sample used the bait documentation to eventually release its exclusive Trojan, CrimsonRAT.

## 1. Analysis of attack activities

 1. Attack process analysis

Attack campaigns using decoy documents that disguise resumes. Through the release of
CrimsonRAT through Dropper, continuous monitoring of users in the middle of the
recruitment.

## 2. Load delivery analysis


-----

### 2.1 Disguising Documents

The sample name we captured is Sonam kaur_2, the
document name is similar to the sample, the file name
below is Sonam Singh's document, which also uses the
name of the person as the document name, and Sonam
Singh's document is a personal work resume.

Unlike the same attack we speculate is that the malicious
document we capture only contains macro code inside
the open window, and once the user inadvertently clicks
to start the macro function, the hidden malicious macro
code runs automatically.

We also found an account with the same name on Twitter, and in the profile we can see that
the status location is in Mumbai and is a wealth consulting firm. The Tweet update is as of
July 2021, and while this is consistent with our presumed timing of the action, it is not
possible to tell if this tweet is related to the documentation.


-----

The macro code disguises itself as an Mdiaz-related program in the ALLUSERSPROFILE
directory, reads hidden data from the specified structure of the malicious document and
writes it to a file, which shows that APT-C-56 (transparent tribe) uses simple string
concatenation technology to disassemble exe characters to avoid static killing by antivirus
engines.


-----

Launch the malicious PE program that is released, while further reading the normal text
document data hidden inside, release it to the worddcs.docx, and finally open this document
to disguise and confuse the user.


-----

### 2.2 Dropper

The released PE file is a .Net Dropper program. First, determine whether a zip file exists,
read the resource section and write the data to the file if it does not exist, delete it and write it
again.


-----

Determine whether there is a file with the suffix .ford in the directory, and if so, create a
startup file directly. If no suffix is specified, the file goes directly to the subsequent release
process.


-----

Then determine whether there is a backdoor RAT stored in the resource, and if not,
download and run it from the C&C through the network connection.

## 3. Attack component analysis

The RAT backdoor released after download disguises itself as the FireFox browser and is the
CrimsonRAT that the Transparent Tribe has been maintaining and using.


-----

The control codes and commands are as follows:

**directives** **Control code**

Enumerate processes gey7tavs


-----

Upload a GIF thy7umb

Enumerate processes pry7ocl

Set up auto-start puy7tsrt

Download the file doy7wf

Set up screenshots scy7rsz

Gets the file properties fiy7lsz

See screenshots cdy7crgn

csy7crgn

csy7dcrgn

Stop taking screenshots sty7ops

Desktop screenshot scyr7en

Gets disk information diy7rs

Parameter initialization cny7ls

Delete the file dey7lt

Get file information afy7ile

Delete a user udy7lt

Search for files liy7stf

Get user information iny7fo


-----

Execute the file ruy7nf

Move files fiy7le

## 2. Attribution research and judgment

Based on the similarity of the macro code and CrimsonRAT judging that this is an APT-C-5 6
(Transparent Tribe) attack activity, the sample found this time has many similarities to our
previous APT-C-56 (Transparent Tribe) attack analysis report.

## 1. Analysis related to previous attacks

### 1.1 Macro code is similar

The following figure shows the analysis from the previous disclosure action:

The following figure shows the analysis of this attack:


-----

### 1.2 Dropper is similar

The following figure shows the analysis from the previous disclosure action:


-----

The following figure shows the analysis of this attack:

## 2. Difference analysis from previous actions

The last campaign released RATs directly from resources.


-----

The samples found this time were downloaded via a network connection for subsequent
RATs.

**summary**

The India-Pakistan conflict has always existed because of border, cultural, ethnic, historical
and other reasons, and the military and political espionage caused by geopolitical conflicts
has always been the main theme of the region. Pakistan's sidecopy group has been imitating


-----

the Sidewinder attack, and the Indian group will also imitate the transparent tribe s attack.

Chaotic situations often represent a contest of economic, military, and cybersecurity
capabilities between countries, and it is increasingly important to seize intelligence
opportunities through cyberattacks and maintain national security.

**Appendix IOC**

fdb9fe902ef9e9cb893c688c737e4cc7
ccc33eff063e44fad0fc3e6057b1bcd9
0f9f34e3e872e57446ffdcfa90a7b954
35e481dec398f206d0be12bc98ccc17a
33ea133da15dc060b7709558c97209d2
860da5abde63a42b3fbd8202d0cff6d2
8e642dd589e53347555a7b2596512ed7
23.254.119.234：6178

**360** **Advanced Threat Institute**

360 Advanced Threat Institute is the core capability support department of 360 Digital
Security Group, composed of 360 senior security experts, focusing on the discovery, defense,
disposal and research of advanced threats, and has taken the lead in capturing many wellknown 0-day attacks in the world, such as double killing, double star, nightmare formula,
etc., exclusively disclosing the advanced actions of many national APT organizations, winning
wide recognition inside and outside the industry, and providing strong support for 360 to
ensure national network security.


-----