In January 2019, Kaspersky started an investigation into an ongoing campaign launched by a group known as Transparent Tribeto distribute the Crimson Remote Access Trojan (RAT). The attacks started with malicious Microsoft Office documents being sent to the victims through the use of spear-phishing emails. In only a year, researchers have found more than 1,000targetsacross almost 30 countries.The research also revealed new, previously unknown components of Crimson RAT, indicating that it is still under development. These are among the findings from the first part of the investigation, published by Kaspersky.
Transparent Tribe (also known as PROJECTM and MYTHIC LEOPARD) is a very prolific group that is well-known in the cybersecurity industry for its massive espionage campaigns. Its activity can be traced back as far as 2013 and Kaspersky has had an eye on the group since 2016.
Its favorite method of infection is malicious documents with an embedded macro. Its main malware is a custom .NET RAT – publicly known as Crimson RAT. This tool is composed of different components, allowing the attacker to perform multiple activities on infected machines – from managing remote filesystems and capturing screenshots to perform audio surveillance using microphone devices, record video streams from webcams and steal files from removable media.
While the group’s tactics and techniques have remained consistent over the years, Kaspersky research has shown that the group has constantly created new programs for specific campaigns. During its exploration into the group’s activities in the last year, Kaspersky researchers spotted a .NET file that was detected by the company’s products as Crimson RAT. A deeper investigation, however, has shown that it was something different – a new server-side Crimson RAT component used by the attackers to manage infected machines. Coming in two version