APT36 Running Espionage Ops Against India's Education SectorPakistan-Linked APT Group Using Spear-Phishing to Plant Info Stealer Malware
A suspected Pakistan espionage threat actor that relies on phishing emails to lure victims is expanding to the education sector after years of focusing on the Indian military and government.
Security research from SentinelLabs* says a group it tracks as Transparent Tribe, also known as APT36 and Earth Karkaddan, has been using malicious documents laced with Crimson RAT malware to target Indian instructors and students.
The lure includes education-themed content and names such as "assignment." Indicators pointing to Transparent Tribe as the threat actor include the use of Crimson RAT, "a consistent staple in the group's malware arsenal," the researchers said. This latest phishing campaign also uses file hosting service domains linked to the group, such as
Aleksandar Milenkoski, a senior threat researcher at SentinelLabs a part of SentinelOne*, told Information Security Media Group that APT36 began targeting educational institutions in the Indian subcontinent in July 2022. The domain used by the attackers as a command-and-control server is still active, he said.
Milenkoski said Transparent Tribe's intention is to target as many organizations and individuals within the educational sector as possible, as evidenced by its use of phishing emails and fake websites to lure in students and research institutions.
"We regretfully cannot accurately estimate the total number of individuals and organizations affected and are not at liberty to discuss details about affected organizations," he said.
Cybersecurity startup Cyble in March attributed a campaign targeting Indian defense researchers to SideCopy APT, a group it said "shared characteristics with Transparent Tribe (APT36) and could potentially be a sub-group of that threat actor" (see: SideCopy APT Targets India's Premier Defense Research Agency). Cyble said that SideCopy APT used spear-phishing to gain initial entry and research material as a decoy to plant a variant of the info-stealing Action Rat Malware.
Crimson RAT is a .NET-based remote access Trojan that features in almost every APT36 campaign and enables attackers to maintain long-term access to victim networks, Cisco Talos wrote in 2022.
The malware includes a keylogger, runs arbitrary commands and sends system information to a command-and-control server.
According to SentinelLabs, the attackers in previous campaigns used Microsoft Office macros to download Crimson RAT, but the firm observed that the attackers have shifted to using OLE embedding that displays an image and requires users to double-click on it to download an attachment. Once a user performs this action, an activated OLE package stores and executes Crimson RAT, which masquerades as a Microsoft update process.
*Correction April 18, 2023 20:29 UTC: Corrects spelling of SentinelLabs, which does not have a space between Sentinel and Labs. Also clarifies that SentinelLabs is a part of SentinelOne, rather than a stand-alone organization.