MITRE ATT&CK - Преступная группа Transparent Tribe

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Transparent Tribe

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)

ID: G0134

Associated Groups: Mythic Leopard, COPPER FIELDSTONE, APT36, ProjectM

Version: 1.1

Created: 02 Sep 2021

Last Modified: 22 Sep 2022

Name	Description
Associated Group Descriptions
Mythic Leopard	(Citation: Crowdstrike Mythic Leopard Profile)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)
COPPER FIELDSTONE	(Citation: Secureworks COPPER FIELDSTONE Profile)
APT36	(Citation: Talos Transparent Tribe May 2021)
ProjectM	(Citation: Unit 42 ProjectM March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.001	Acquire Infrastructure: Domains	Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Talos Transparent Tribe May 2021)
Enterprise	T1059	.005	Command and Scripting Interpreter: Visual Basic	Transparent Tribe has crafted VBS-based malicious documents.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
Enterprise	T1584	.001	Compromise Infrastructure: Domains	Transparent Tribe has compromised domains for use in targeted malicious campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.(Citation: Kaspersky Transparent Tribe August 2020)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.(Citation: Kaspersky Transparent Tribe August 2020)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016)
		.002	Phishing: Spearphishing Link	Transparent Tribe has embedded links to malicious downloads in e-mails.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)
Enterprise	T1608	.004	Stage Capabilities: Drive-by Target	Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Unit 42 ProjectM March 2016)(Citation: Talos Transparent Tribe May 2021)
Enterprise	T1204	.001	User Execution: Malicious Link	Transparent Tribe has directed users to open URLs hosting malicious content.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)
		.002	User Execution: Malicious File	Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016)

ID	Name	References	Techniques
Software
S0115	Crimson	(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) (Citation: Kaspersky Transparent Tribe August 2020) (Citation: MSIL/Crimson) (Citation: Proofpoint Operation Transparent Tribe March 2016)	File and Directory Discovery, Video Capture, Security Software Discovery, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, File Deletion, System Time Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, Time Based Evasion, Keylogging, Web Protocols, Data from Local System, System Owner/User Discovery, Screen Capture, Audio Capture, Exfiltration Over C2 Channel, Process Discovery, Local Email Collection, Modify Registry, System Network Configuration Discovery, Peripheral Device Discovery, Data from Removable Media, Replication Through Removable Media, System Location Discovery, Ingress Tool Transfer, Windows Command Shell, Non-Application Layer Protocol, Query Registry, Credentials from Web Browsers
S0334	DarkComet	(Citation: DarkKomet) (Citation: FYNLOS) (Citation: Fynloski) (Citation: Krademok) (Citation: Malwarebytes DarkComet March 2018) (Citation: TrendMicro DarkComet Sept 2014) (Citation: Unit 42 ProjectM March 2016)	Command and Scripting Interpreter, Clipboard Data, Video Capture, System Information Discovery, Ingress Tool Transfer, Process Discovery, Windows Command Shell, Disable or Modify System Firewall, Remote Desktop Protocol, Registry Run Keys / Startup Folder, Web Protocols, Audio Capture, Disable or Modify Tools, Software Packing, Modify Registry, Keylogging, System Owner/User Discovery, Match Legitimate Name or Location
S0644	ObliqueRAT	(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) (Citation: Talos Oblique RAT March 2021) (Citation: Talos Transparent Tribe May 2021)	Screen Capture, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Data Transfer Size Limits, Malicious Link, System Information Discovery, File and Directory Discovery, Steganography, System Checks, Data from Removable Media, Local Data Staging, Process Discovery, System Owner/User Discovery, Video Capture
S0643	Peppy	(Citation: Proofpoint Operation Transparent Tribe March 2016) (Citation: Unit 42 ProjectM March 2016)	Keylogging, Ingress Tool Transfer, Web Protocols, Windows Command Shell, Automated Exfiltration, Screen Capture, File and Directory Discovery
S0385	njRAT	(Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Proofpoint Operation Transparent Tribe March 2016) (Citation: Trend Micro njRAT 2018)	System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Obfuscated Files or Information, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Transparent Tribe

Associated Group Descriptions

Techniques Used

Software

References