A Pakistani-based hacking group that goes by a variety of names, including "Transparent Tribe," "APT36," "Mythic Leopard" and others has been discovered to be behind a particularly nasty attack recently.
Researchers with QiAnXin's RedDrip Team discovered a phishing campaign bearing the group's stamp.
This new campaign utilizes poisoned files that appear to be health advisories sent by the Indian government. These days, people are desperate for information about the Coronavirus, and the hacking group is taking full advantage.
Their poisoned documents are being opened at an alarming rate, and when they are, a malicious tool called the Crimson RAT (Remote Administration Tool) is being installed.
This tool allows the hacker group to, (among other things):
- Capture screenshots
- Collect information about the antivirus software the victim's computer or device uses
- Make use of TCP protocols for communicating with the command and control server
- Stealing credentials from the victim's browser
- Listing running process, drives and directories on the victim's machine
- Retrie files from its C&C server
While all of those are bad, the last one is probably the most dangerous. Once the hackers have established an entry point on the infected system, they can use the communications link with the C&C server to install literally any other type of software they want.
For the time being, the group has contented themselves with operations in India, but they're not the only state sponsored threat actor on the world stage. They're certainly not the only ones to be using the fear surrounding the Coronavirus as cover for their nefarious activities.
Be sure your employees are aware of this new threat, and adopt the policy of not opening any health related information you get via email. If you want to know the latest information available, instruct your team to go to the CDC's website and pull it straight from the source.