The group has added a management console and a USB worming function to its main malware, Crimson RAT.
The APT group Transparent Tribe is mounting an ongoing cyberespionage campaign, researchers said, which is aimed at military and diplomatic targets around the world. The effort features a worm that can propagate from machine to machine while stealing files from USB removable drives.
Transparent Tribe (a.k.a. ProjectM and Mythic Leopard), is a prolific group that has been active [PDF] since at least 2013, specializing in widespread spy-craft. In the latest campaign, Kaspersky has observed spearphishing emails going out with malicious Microsoft Office documents containing a custom remote-access trojan (RAT) called Crimson. So far, researchers have found 1,093 targets across 27 countries, with the most-affected being Afghanistan, Germany, India, Iran and Pakistan.
Crimson is executed by way of embedded macros, according to Kaspersky research released on Thursday. It’s a .NET RAT that has a slew of malicious capabilities, including managing remote file systems, capturing screenshots, keylogging, conducting audio surveillance using built-in microphones, recording video streams from webcams, stealing passwords and stealing files.
Transparent Tribe has updated Crimson RAT for this campaign, the firm said, adding a server-side component used to manage infected client machines as well as a new USBWorm component developed for stealing files from removable drives, spreading across systems by infecting removable media, and downloading and executing a thin-client version of Crimson from a remote server.
“Coming in two versions, it was compiled in 2017, 2018 and 2019, indicating that this software is still under development and the APT group is working on ways to improve it,” according to the research.
Server-Side Management Interface
The server component gives attackers a handy control panel, which provides a list of infected machines and shows basic information about the victims’ systems as well as geolocation information retrieved from a legitimate website using a remote IP address as the input.
“At the top, there is a toolbar that can be used for managing the server or starting some actions on the selected bot,” Kaspersky said. “At the bottom, there is an output console with a list of actions performed by the server in the background. It will display, for example, information about received and sent commands.”
The bot panel is an interface with 12 tabs, which can be used to manage a remote system and collect information. The tabs match up with various Crimson components – for instance, there are tabs for explore the remote file system; downloading, uploading and deleting files; keylogging; and monitoring the remote screen and checking what the user is doing on their system.
In the remote-screen tab, “the attacker can retrieve a single screenshot or start a loop that forces the bot to continuously send screenshots to the server, generating a live stream of sorts. The attacker can also configure the RAT component to record the images on the remote system,” according to the analysis.
The freshly added USBWorm component in Crimson RAT behaves as a downloader, infector and USB stealer.
“When started, it checks if its execution path is the one specified in the embedded configuration and if the system is already infected with a Crimson client component,” explained Kaspersky researchers. “If these conditions are met, it will start to monitor removable media, and for each of these, the malware will try to infect the device and steal files of interest.”
The infection procedure for USBWorm starts with cataloging all directories on the victim device, the analysis details. The malware then creates a copy of itself in the drive root directory for each one, using the same directory name. It changes the legitimate directories’ attribute to “hidden” – which results in all the actual directories being replaced with a copy of the malware using the same directory name. USBWorm also uses an icon that mimics a Windows directory, tricking the user into executing the malware when trying to access it.
“This simple trick works very well on default Microsoft Windows installations, where file extensions are hidden and hidden files are not visible,” according to Kaspersky. “The victim will execute the worm every time he tries to access a directory. Moreover, the malware does not delete the real directories and executes ‘explorer.exe’ when started, providing the hidden directory path as argument. The command will open the Explorer window as expected by the user.”
The data theft procedure lists all files stored on the device and copies those with an extension matching a predefined list: .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx and .txt.
“Our investigation indicates that Transparent Tribe continues to run a high amount of activity against multiple targets,” said Giampaolo Dedola, security expert at Kaspersky, in a media statement. “During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal. The group continue to invest in its main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We don’t expect any slowdown from this group in the near future and we’ll continue to monitor its activities.”