Transparent Tribe VBA code and its Sidewinder mimicry

Vanja Svajcer

Cisco

Abstract:

Transparent Tribe is a well-known APT group targeting Asian countries with the objective of obtaining remote access to the targets and exfiltrating confidential information and documents. Traditionally, they have been doing that by deploying remote access trojans, usually Crimson RAT, but also others, such as Oblique RAT. Their operation is previously well documented by researchers, including Talos.

Transparent Tribe traditionally uses malicious Excel spreadsheets and Word documents as well as lure documents that appear to be legitimate documents of the targeted government organizations. The presentation will start with an analysis of their malicious dropper VBA code, which regularly evolves but keeps some regular characteristics such as using VBA Forms to store the executable payload in a lightly obfuscated format.

The core of the presentation will be focused on the recent discovery of a Transparent Tribe VBA code mimicry by Sidewinder group (not yet documented at the time of writing this proposal). The group started using malicious documents with a very similar VBA code in June 2021.

When these documents were discovered, the opinion was that it was a new Transparent Tribe campaign, until the payload was analysed and connected with infrastructure previously attributed to the SideWinder group.

We will discuss similarities in the VBA code between Transparent Tribe and Sidewinder and track a development process of custom executable payloads which were in development likely from January 2021.