<— Back

WIN-P9NRMH5G6M8” – Transparent Tribe Perussian

In 2022, Pakistan-based Transparent Tribe, AKA APT36, has broadened its horizons and adopted new TTPs. Since 2016, when this APT group targeted the Indian Embassy in Riyadh, Saudi Arabia, it has repeatedly targeted official Indian institutions, including baiting Indian Defence personnel. However, now, this group has begun to target sectors other than Central Government and Defence. Recent targets have included the State Government of West Bengal (India) and the Indian Institute of Technology, Hyderabad (an educational institution). In addition to these, there have also been campaigns against Indian IT firms, where the usual infection vectors, weaponized Office documents, masquerade as candidate resumes.

Our deeper investigations into recent Transparent Tribe campaigns revealed an interesting new TTP common to all of them; the outsourcing of hosted C2s. We found an open RDP port in one C2 IP used by Transparent Tribe with a self-signed SSL certificate bearing Common Name “WIN-P9NRMH5G6M8”.

We pivoted on this Common Name (CN), expecting but a handful of hits. In reality, however, we ended up drowning in a deluge of tens of thousands of IPs, with exposed RDP, each using different SSL certificates with the same CN. These IPs were associated with ISPs in different geolocales; several of them have been involved in other common cyber-attacks, ranging from hosting phishing sites to hosting a flavour of the Log4Shell exploit (CVE-2021-44228) in June of 2022. Surely, not all of these can belong to the Transparent Tribe actors. What’s more probable is that this unique CN is associated with an outsourced service. We had to dig deeper.

We discovered that this Virtual Private Service is being sold in a Telegram group bearing the username, surprise, surprise, “WIN-P9NRMH5G6M8”. Further pivoting revealed this to be a premium bullet-proof-hosting-services option offered by an actor or group who lists both Persian and Russian in the language profile of its Russian social media page. We were also able to track down a video website (Iranian YouTube-like) associated with this actor. The plot thickens. What could have been the reason for Transparent Tribe to be linked to these characters?

In this presentation, we examine the latest Kill Chain employed by Transparent Tribe, with particular focus on changes incorporated in 2022, and the possible reasons for these. We will also reveal detailed identifiers associated with the threat actors behind the infrastructure used by Transparent Tribe with a view to gauge the extent of the relationship, and whether the same or similar infrastructure is or might be used by other APT actors too.

Arun Kumar Shunmuga Sundaram

Arun Kumar Shunmuga Sundaram, a Computer Science Master’s graduate from the University of Glasgow, has been working as a Threat Intel Team Lead at K7 Threat Control Labs for the past 8 years.  He works on curating and optimizing the Threat Intel feed and monitoring various threat actors. His research findings have also contributed to the K7 lab blog. Apart from being passionate about reversing, he is an avid gamer and loves to follow up on indie gaming.

Rajeshkumar R

Rajeshkumar R is a Threat Researcher at K7 Threat Control Labs and holds a Master’s degree in Computer Applications from Anna University, Chennai. His core responsibilities include reversing and providing detection at multiple layers for prevalent malware in addition to monitoring the latest trends in ransomware attacks. He also publishes his research findings on the K7 lab blog from time to time. Outside of malware research, he likes to spend his spare time swimming and has a keen interest in current events and politics.