Published on June 3rd, 2024
Pakistan-linked threat actor Transparent Tribe is behind a series of cyberattacks targeting critical infrastructure in India’s government, defense, and aerospace sectors.
The attacks, which began in late 2023 and are expected to continue, leverage a combination of social engineering and malware written in various programming languages to compromise systems and steal sensitive data.
Spear-Phishing With Common Online Services
Transparent Tribe relies on spear-phishing emails to initiate these attacks.
These emails are designed to appear legitimate and often target specific individuals within organizations.
The attackers exploit popular online services like Discord, Google Drive, Slack, and Telegram to host malicious content or facilitate communication during the attack.
Targeted Attacks On Defense Contractors
BlackBerry researchers identified three companies based in Bengaluru, India, as targets of the campaign.
While the specific names are not disclosed, the report suggests that Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited, all crucial stakeholders for the Indian Department of Defense Production (DDP), were likely targets.
Transparent Tribe’s Arsenal: A Mix Of Malware
Transparent Tribe has a history of employing various malware families throughout their campaigns.
In this instance, the attacks utilize a combination of:
- GLOBSHELL: A Python-based information gathering tool used to collect data from compromised systems.
- PYSHELLFOX: A malware tool designed to steal data from Mozilla Firefox.
- Custom Bash Scripts and Python Binaries: These tools target Windows and Linux systems, respectively, and grant remote access to attackers.
- Modified Discord-C2 Tool: This Golang-based program allows attackers to control infected systems through Discord.
The attackers have also been observed using ISO images and phishing lures to deploy malware, highlighting their evolving tactics.
Q&A
1. What are some indicators of a spear-phishing email?
Spear-phishing emails may contain urgency, spelling errors, or a sender address that appears spoofed. They may also target specific individuals and reference internal information to appear legitimate.
2. How can organizations protect themselves from these attacks?
Implementing multi-factor authentication, educating employees on phishing tactics, and maintaining up-to-date security software are all important steps to prevent successful spear-phishing attempts.
3. What are some additional resources to learn more about Transparent Tribe?
BlackBerry reports and other cybersecurity publications can provide further details on Transparent Tribe’s history and attack methods.
