Transparent Tribe group targets Government and Military by infecting USB Devices

The Advanced Persistent Threat Group - Transparent Tribe, as previously tracked by Proofpoint, is involved in campaigns against Government and Military personnel. This prolific group has previously been connected to attacks against the Indian Government and Military. This Transparent Tribe group also known as PROJECTM and MYTHIC LEOPARD also involved in massive espionage campaigns. Recently, the APT group has shifted its focus to Afghanistan, however, Security researchers have documented its presence in close to 30 countries.

Today, Kaspersky said in a blog post that Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, Transparent Tribe is constantly evolving its toolkit depending on the intended target. The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent with malicious Microsoft Office documents attached with it containing an embedded macro that deploys the group's main payload, the Crimson Remote Access Trojan (.NET RAT) and a python based RAT known as peppy. 

This APT group continues to spread Crimson RAT, infecting a large number of victims in multiple countries, mainly India and Afghanistan. Giampaolo Dedola will be talking more about the Transparent Tribe and its tools on great Ideas, Powered by SAS webinar on 26 August 2020. Anyone can register for it from here

Crimson Server

Crimson is the main tool used by this APT group for their espionage activities. The tool is composed of various components, which are used by the attacker for performing multiple activities on infected machines:

Manage Remote Filesystems
Upload and Download files
Capture Screenshots
Perform audio surveillance using microphones
Record video streams from webcam devices
Steal files from removable media
Execute arbitrary commands
Record keystrokes
Steal passwords saved in browsers
Spread across systems by infecting removable media
Connecting to a command-and-control (C2) server for data exfiltration and remote malware updates.

Researchers at Kaspersky found two different server versions, the one being a version they named A, compiled in 2017, 2018 and 2019,  including a feature for installing the USBWorm component and executing commands on remote machines. The version that they named B was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development and the APT group is working to enhance it. Researchers were able to set up a working environment and communicate with samples previously detected on victims’ machines by analysing the .NET binary.

Crimson Server Version A and B

Main Panel: Main panel provides a list of infected machines and shows basic information about the victim's systems. Geolocation information is retrieved from a legitimate website using a remote IP address as the input. The URL used by the server is:<ip>

Transparent Tribe group targets Government and Military by infecting USB Devices
Source: Server Main panel (Kaspersky)

There is a toolbar at top that can be used for managing the server or starting some actions on the selected bot. There is an output console at bottom with a list of actions performed by the server in the background. It will display information about received and sent commands. The server uses an embedded configuration specified inside a class named called settings.

Transparent Tribe group targets Government and Military by infecting USB Devices
Source: Example of Embedded Configurartion (Kaspersky)

The class contains TCP port values, default file names and installation paths used by each malware component. The server does not include any features to build the other components; they need to be manually placed in specific predefined folders. For example, based on the configuration displayed in the picture above, the “msclient” must be placed in “.\tmps\rfaiwaus.exe”. This leads them to conclude that the resulting server file was generated by another builder, which created the executable files, directories and the other files used by the application. 

Bot Panel: The main features are accessible from the bot panel, an interface with twelve tabs, which can be used to manage a remote system and collect information. They are :

Update Module: This tab is used for checking the client configuration, uploading Crimson components and executing these on remote system. The Crimson framework is composed of seven client components:

Thin Client: A tiny version of the RAT used for recognizing the victim. It is usually dropped during the infection process by which Transparent Tribe is distributed and is most commonly found on OSINT resources. It contains a limited number of features and can typically be used to collect information about infected system, collect screenshots, manage the remote filesystem, download and upload files, get a process list, kill a process, execute a file.

Main Client: The full-featured RAT. It can handle all Thin Client features, but it can also be used to install the other malware components, capture webcam images, eavesdrop using a computer microphone, send messages to the victim, execute commands with COMSPEC and receive the output.

USB Driver: USB module component designed for stealing files from removable drives attached to infected systems.

USB Worm: This component developed for stealing files from removable drives, spread across systems by infecting removable media, and download and execute the Thin Client component from a remote Crimson server.

Pass Logger: A credential stealer, used for stealing credentials stored in the Chrome, Firefox and Opera browsers.

KeyLogger: This is simple malware used for recording keystrokes.

Remover: This cannot be pushed using the Update module tab, but it can be uploaded to an infected machine automatically using the “Delete User” button. Unfortunately, we did not acquire that component and we cannot provide a description of it.

File Manager & Auto Download tabs: The file manager allows the attacker to explore the remote file system, execute programs, download, upload and delete files.

Crimson Server Version B is quite similar to the previous one but in version B, the graphical user interface is different.


Transparent Tribe continues to show high activity against multiple targets including Government and Military. This APT group continue to invest in their main RAT (Crimson), to perform intelligence activities and spy on sensitive targets. Kaspersky shared following list of IOC's.
Transparent Tribe group targets Government and Military by infecting USB Devices
Source: List of IOC's (Kaspersky)
The followings IOC list is not complete. If you want more information about the APT discussed here, as well as a full IOC list then contact Kaspersky at 
Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post