A Pakistan-based hacker group, known as Transparent Tribe or APT36, has escalated its cyberattacks by shifting its primary focus from traditional government targets to India’s burgeoning startup ecosystem. This threat actor, active since 2013, is now employing a sophisticated malware called Crimson RAT to infiltrate Indian startups, particularly those involved in cybersecurity and intelligence services. Researchers uncovered this alarming trend after identifying suspicious files originating from India that contained startup-themed materials, indicating a deliberate campaign against this vital sector.
The new offensive by Transparent Tribe marks a significant pivot in its operational strategy. Previously, their operations were largely directed at defense organizations and educational institutions within India. However, this latest campaign specifically targets individuals associated with startups that provide security solutions to law enforcement agencies, suggesting an attempt to disrupt or extract sensitive information from India’s evolving tech landscape. The group has been observed using meticulously crafted fake emails containing malicious files, cleverly disguised as legitimate documents, to ensnare unsuspecting victims.
Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT
According to Acronis researchers, the initial entry vector for this attack campaign involves ISO container files delivered via email. When a recipient opens a file that appears to be a standard Excel spreadsheet, a concealed chain of commands is activated. This chain silently installs the Crimson RAT malware onto the victim’s computer, granting the attackers the ability to remotely monitor screens, record audio, exfiltrate files, and gain unauthorized control over infected systems without the user’s knowledge.
The infection process begins with the receipt of an email containing a file named “MeetBisht.iso.” This ISO file acts as a container for the malicious payload. Inside, users will find a shortcut file disguised to look like an Excel document. Alongside this decoy is a hidden folder that houses three crucial components: a decoy document intended to further distract the victim, a batch script responsible for orchestrating the execution of the attack, and the actual Crimson RAT payload, which is presented as an Excel executable file.
Upon activation by the victim, the malicious shortcut initiates the batch script. This script undertakes a dual action: it simultaneously presents the fake Excel file to the user, maintaining the illusion of a legitimate document, while covertly copying the malware to the computer’s system folders. To circumvent security measures, the script leverages PowerShell commands to suppress common security warnings that would typically alert users to suspicious file activity. Subsequently, it creates a hard-linked executable file with a randomly generated name within the user’s application data folder. The malware is then launched from this seemingly legitimate location, enhancing its stealth capabilities.
The Crimson RAT payload itself is engineered with advanced evasion techniques to avoid detection. A key tactic involves artificially inflating the malware file’s size to approximately 34 megabytes through the inclusion of extraneous junk data. In reality, the malicious code itself occupies a much smaller footprint, ranging from only 80 to 150 kilobytes. This significant bloating is designed to bypass signature-based detection systems that rely on identifying known malware patterns. Furthermore, the malware’s code features extensively randomized function names, rendering in-depth analysis a considerably challenging undertaking for security researchers.
Communication between the infected systems and the command-and-control (C&C) servers is managed through custom TCP protocols. These communications occur on non-standard ports, including 18661, 20856, 26868, 29261, and 36628, which further aids in evading network-based intrusion detection systems that often monitor conventional ports.
Implications and Mitigation Strategies
The targeted shift by Transparent Tribe towards India’s startup ecosystem, particularly cybersecurity firms, raises concerns about the potential disruption of critical infrastructure and the theft of sensitive intellectual property. As these startups are often at the forefront of developing new security solutions, gaining access to their networks could provide attackers with invaluable insights into emerging vulnerabilities and defensive strategies.
Organizations operating within or interacting with India’s startup sector are urged to implement robust security measures. This includes strengthening email filtering protocols to block ISO and container-based attachments from unknown or untrusted sources. Regular, comprehensive security awareness training for employees is paramount to help them identify and avoid sophisticated social engineering tactics used by threat actors like Transparent Tribe. The deployment of advanced endpoint detection and response (EDR) solutions can be instrumental in detecting suspicious PowerShell activity and unauthorized file modifications.
Furthermore, continuous network monitoring is essential to flag unusual outbound connections to non-standard ports, which are indicative of malware communication. Staying abreast of updated threat intelligence feeds is crucial for maintaining protection against known command-and-control servers associated with Transparent Tribe campaigns. Proactive defense strategies are key in mitigating the risks posed by this evolving threat landscape.