The group Transparent Tribe has added a management console & a USB worming function to its main malware, Crimson RAT.
The APT group Transparent Tribe is mounting an ongoing cyber-espionage campaign, researchers commented, which is aimed at military & diplomatic targets worldwide. This features a worm that can move from machine to machine, while stealing files from USB removable drives.
Transparent Tribe (a.k.a. Project M & Mythic Leopard), is a prolific group that has been active [PDF] since at least 2013, specialising in spy-craft.
In their latest campaign, Kaspersky has observed spear phishing emails being sent with malicious Microsoft Office documents containing a custom remote access trojan (RAT) named Crimson.
So far, researchers have discovered 1,093 targets across 27 countries, with the worst-affected being Afghanistan, Germany, India, Iran & Pakistan.
Crimson is executed by way of embedded macros, says Kaspersky research released on Thursday. It is a .NET RAT that has many malicious capabilities, including managing remote file systems, capturing screenshots, keylogging, conducting audio surveillance using built-in microphones, recording video streams from webcams, stealing passwords & stealing files.
Transparent Tribe has updated Crimson RAT for this campaign, the firm observed, adding a server-side component used to manage infected client machines as well as a new USB Worm component developed for stealing files from removable drives, spreading across systems by infecting removable media, & downloading & executing a thin-client version of Crimson from a remote server.
“Coming in 2 versions, it was compiled in 2017, 2018 & 2019, indicating that this software is still under development & the APT group is working on ways to improve it,” comments the research.
Server-Side Management Interface
The server component gives attackers a handy control panel, which provides a list of infected machines & shows basic information about the victims’ systems as well as geolocation information retrieved from a legitimate website using a remote IP address as the input.
“At the top, there is a toolbar that can be used for managing the server or starting some actions on the selected bot,” Kaspersky said. “At the bottom, there is an output console with a list of actions performed by the server in the background. It will display, for example, information about received & sent commands.”
The bot panel is an interface with 12 tabs, which can be used to manage a remote system & collect information. The tabs match up with various Crimson components e.g., there are tabs for explore the remote file system; downloading, uploading & deleting files; keylogging; & monitoring the remote screen & checking what the user is doing on their system.
In the remote-screen tab, “the attacker can retrieve a single screenshot or start a loop that forces the bot to continuously send screenshots to the server, generating a live stream of sorts. The attacker can also configure the RAT component to record the images on the remote system,” according to the analysis.
USB Worm Component
The freshly added USB Worm component in Crimson RAT behaves as a downloader, infector & USB stealer.
“When started, it checks if its execution path is the one specified in the embedded configuration & if the system is already infected with a Crimson client component,” explained Kaspersky researchers.
“If these conditions are met, it will start to monitor removable media, & for each of these, the malware will try to infect the device & steal files of interest.”
The infection procedure for USB Worm starts with cataloguing all directories on the victim device, the analysis details. The malware then creates a copy of itself in the drive root directory for each one, using the same directory name.
It changes the legitimate directories’ attribute to “hidden” – which results in all the actual directories being replaced with a copy of the malware using the same directory name. USB Worm also uses an icon that mimics a Windows directory, tricking the user into executing the malware when trying to access it.
“This simple trick works very well on default Microsoft Windows installations, where file extensions are hidden & hidden files are not visible,” according to Kaspersky.
“The victim will execute the worm every time he tries to access a directory. Moreover, the malware does not delete the real directories & executes ‘explorer.exe’ when started, providing the hidden directory path as argument. The command will open the Explorer window as expected by the user.”
The data theft procedure lists all files stored on the device & copies those with an extension matching a predefined list: .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx and .txt.
“Our investigation indicates that Transparent Tribe continues to run a high amount of activity against multiple targets,” explained Giampaolo Dedola, Security Expert at Kaspersky, in a statement.
“During the last 12 months, we have observed a very broad campaign against military & diplomatic targets, using a big infrastructure to support its operations & continuous improvements in its arsenal.
The group continue to invest in its main RAT, Crimson, to perform intelligence activities & spy on sensitive targets. We don’t expect any slowdown from this group in the near future & we’ll continue to monitor its activities.”