Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)
ID: G0134
Associated Groups: Mythic Leopard, COPPER FIELDSTONE, APT36, ProjectM
Version: 1.2
Created: 02 Sep 2021
Last Modified: 10 Apr 2024

Associated Group Descriptions

Name Description
Mythic Leopard (Citation: Crowdstrike Mythic Leopard Profile)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)
COPPER FIELDSTONE (Citation: Secureworks COPPER FIELDSTONE Profile)
APT36 (Citation: Talos Transparent Tribe May 2021)
ProjectM (Citation: Unit 42 ProjectM March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Talos Transparent Tribe May 2021)

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Transparent Tribe has crafted VBS-based malicious documents.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1584 .001 Compromise Infrastructure: Domains

Transparent Tribe has compromised domains for use in targeted malicious campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Transparent Tribe has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016)

.002 Phishing: Spearphishing Link

Transparent Tribe has embedded links to malicious downloads in e-mails.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)

Enterprise T1608 .004 Stage Capabilities: Drive-by Target

Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Unit 42 ProjectM March 2016)(Citation: Talos Transparent Tribe May 2021)

Enterprise T1204 .001 User Execution: Malicious Link

Transparent Tribe has directed users to open URLs hosting malicious content.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)

.002 User Execution: Malicious File

Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016)

Software

ID Name References Techniques
S0115 Crimson (Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) (Citation: Kaspersky Transparent Tribe August 2020) (Citation: MSIL/Crimson) (Citation: Proofpoint Operation Transparent Tribe March 2016) File and Directory Discovery, Video Capture, Security Software Discovery, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, File Deletion, System Time Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, Time Based Evasion, Keylogging, Web Protocols, Data from Local System, System Owner/User Discovery, Screen Capture, Audio Capture, Exfiltration Over C2 Channel, Process Discovery, Local Email Collection, Modify Registry, System Network Configuration Discovery, Peripheral Device Discovery, Data from Removable Media, Replication Through Removable Media, System Location Discovery, Ingress Tool Transfer, Windows Command Shell, Non-Application Layer Protocol, Query Registry, Credentials from Web Browsers
S0334 DarkComet (Citation: DarkKomet) (Citation: FYNLOS) (Citation: Fynloski) (Citation: Krademok) (Citation: Malwarebytes DarkComet March 2018) (Citation: TrendMicro DarkComet Sept 2014) (Citation: Unit 42 ProjectM March 2016) Command and Scripting Interpreter, Clipboard Data, Video Capture, System Information Discovery, Ingress Tool Transfer, Process Discovery, Windows Command Shell, Disable or Modify System Firewall, Remote Desktop Protocol, Registry Run Keys / Startup Folder, Web Protocols, Audio Capture, Disable or Modify Tools, Software Packing, Modify Registry, Keylogging, System Owner/User Discovery, Match Legitimate Name or Location
S0644 ObliqueRAT (Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) (Citation: Talos Oblique RAT March 2021) (Citation: Talos Transparent Tribe May 2021) Screen Capture, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Data Transfer Size Limits, Malicious Link, System Information Discovery, File and Directory Discovery, Steganography, System Checks, Data from Removable Media, Local Data Staging, Process Discovery, System Owner/User Discovery, Video Capture
S0643 Peppy (Citation: Proofpoint Operation Transparent Tribe March 2016) (Citation: Unit 42 ProjectM March 2016) Keylogging, Ingress Tool Transfer, Web Protocols, Windows Command Shell, Automated Exfiltration, Screen Capture, File and Directory Discovery
S0385 njRAT (Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Proofpoint Operation Transparent Tribe March 2016) (Citation: Trend Micro njRAT 2018) System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Encrypted/Encoded File, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.