Pakistan-linked hackers target India’s education sector with Crimson malware
A suspected Pakistan-based hacker group known as Transparent Tribe is targeting educational institutions in India with Crimson malware, according to a report by SentinelLabs.
According to SentinelLabs, hackers gained access to victims' devices through phishing emails that contained education-themed malicious attachments that were created in July and August 2022. Once opened, the threat actors used either Microsoft Office macros or Object Linking and Embedding (OLE) to install the Crimson malware onto the computer.
OLE embedding is a technology used to embed and link objects, such as data or media files, within a document. Attackers can use it to hide the malware within the document itself, so it is executed when the document is opened.
Crimson is a remote access trojan (RAT), a type of malware that provides an attacker with remote access to a victim's computer. Crimson is capable of exfiltrating system information, capturing screenshots, starting and stopping processes, and listing all the files and drives on the computer.
The group has used Crimson in most of its operations, constantly modifying it.
Transparent Tribe has been active since 2013 and has targeted government organizations in around 30 countries. The group usually creates fake domains mimicking a government organization before delivering a payload.
According to researchers, Transparent Tribe is likely getting help from third parties to support its work, including Pakistani web hosting provider Zain Hosting.
Transparent Tribe is not a “very sophisticated group,” according to SentinelLabs, but is highly persistent and “continuously adapts its operational strategy.”
“Transparent Tribe’s constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group,” the researchers said.
In July 2021, a cyber-espionage group bearing close resemblance to Transparent Tribe was observed targeting Indian citizens with government and military-related lures in a campaign to infect victims with malware.
Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.