Podcasts
Research Saturday
Ep 419
Research Saturday 4.4.26
Ep 419 | 4.4.26

Startup surge sparks spy interest.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Santiago Pontiroli: What brought this particular group to our attention was that we were tracking a RAT, that's a remote access tool known as GootKit RAT, and we started with that, and we found some interesting samples. Then we got more interesting samples, IPs, and then we started with that to develop into a, you know, full-length investigation.

Dave Bittner: That's Santiago Pontiroli, Threat Intelligence Research Lead from the Acronis TRU Team. The research we're discussing today is titled "New Year, New Sector: Transparent Tribe Targets India's Startup Ecosystem." [ Music ]

Santiago Pontiroli: -- but usually it starts that way with just a single indicator of compromise or maybe an indicator of the group reusing infrastructure from the past.

Dave Bittner: What was it about this latest campaign from them that stood out compared to some of the things they've done in the past?

Santiago Pontiroli: So usually, this group in particular is targeting South Asia, and in particular, India. In previous campaigns, we saw them mainly doing spear phishing to ministries, governments, financial institutions, things that were of, let's say -- that were relevant to them in the sense of intelligence gathering and not so much of, let's say, getting a financial gain. In this case, they were targeting startups in India, and this is my assumption or my hypothesis in this case, that given that startups don't have as mature security as other companies, but nevertheless, they are connected to the broader ecosystem of the government, they are targeting, kind of, an indirect supply chain attack. They target the startups. They get information that they want from the startups because they are linked to the government, so instead of going directly to the target, they kind of go around it.

Dave Bittner: Well, walk us through the attack chain here. Where do things begin, and take us through what happens?

Santiago Pontiroli: Yeah, sure. So initially, the victim or the target, receives a spear-phishing email, and in this email, they get an attachment, so far so good. I mean, there is nothing unusual about that. In this case, the attachment is what is different from other APT actors or other campaigns. They are using an ISO file. So that's a container file in which you can consider it, for example, as an archive, as a zip file or 7-Zip or an RAR file, but in this case, when you open this container in Windows, by default, Windows will try to open it as a virtual CD or DVD ROM drive. This is an important detail that I can explain to you later why, but this was a deliberate decision by the APT group to use this particular type of file. Within this container, they have a bunch of other files. They have a PowerShell script. They have a document file, and also, an LNK file. LNK is a Windows shortcut file. For example, when you create a direct link in your desktop to -- I don't know -- whatever file you want to open quickly, Windows creates a file that is between, like, 10 to 12 kilobytes, so a very, very small file that just says where to open the real file. In this case, Transparent Drive, they are using this file to open a spreadsheet, a Word document, and in the background, they are actually deploying the malware. If you are the victim, you only see the document you intended to open, you intended to see, but in the background, a whole bunch of operations are happening.

Dave Bittner: Is that opening of the document, is that just misdirection?

Santiago Pontiroli: Yeah, exactly. I mean, in this case, since we're talking about intelligence gathering, they don't want you to be suspicious about anything. It's not like in the past you would see, like, you know, hacker groups or script kiddies, like -- I don't know if you remember the Michelangelo Virus or things like that. This is a completely different ballgame. Here, we are talking about espionage, so these guys want you to think that you actually opened a legitimate document, and in the background, everything is happening.

Dave Bittner: Well, you mentioned the use of ISO files, and as you say, I mean, that's a bit of a trip down memory lane when it comes to things like DVDs. What made them choose that?

Santiago Pontiroli: There is a particular feature in Windows. When you download a file from the internet, Windows marks it as not safe. Let's say, there's something that you downloaded from the internet, and it should be checked. You know, when you double-click a file that you just downloaded, you get the prompt from Smart Screen, so you get like an, "Are you sure you want to open this file?" But in the case of ISO files, since these are containers, or archives, and Windows, by default, tries to mount a DVD drive, it considers ISO files as local archives, so it will bypass Windows protection. It will not prompt the Smart Screen. It will just tell you like, hey, yeah, you have your DVD ready to use. Come on, use it. Then you can just go and double-click on the shortcut files.

Dave Bittner: I see. Well, the research talks about Crimson RAT and how they're using that. Can you describe to us what that is?

Santiago Pontiroli: Yeah, sure. APKT36 has been using a wide array of remote access tools, not only Crimson RAT, but they all share some commonalities. The main feature is taking screenshots, harvesting credentials, exfiltrating this information, using a customized TCP protocol, but I would say that beyond the RAT that this particular group is using, is that they changed the way they are delivering the final payload. What I mean by this is they used Crimson RAT in the past, but they never used it in this way. They never used it in combination with an ISO file, in combination with a Windows shortcut, so it's like they -- and I see this in many APT groups. They think, like, why reinvent the wheel? Let's just reuse whatever we have right now and see if it works. [ Music ]

Dave Bittner: We'll be right back. [ Music ] You mentioned that the sample that you analyzed was padded. They brought it up to about 34 megabytes, just filling it with junk data. What's the practical purpose of inflating a file that way?

Santiago Pontiroli: Oh, that's a lovely question that usually gets a bunch of analysts really angry, because you would see like -- and this doesn't happen only with APT groups. It happens with traditional cybercrime. For example, like, banking trojans usually do the same, and this is mainly to bypass quick detection. Any antivirus will scan some files, or actually, will scan all the files, but it will scan just a portion of the file initially. This is because your computer doesn't have infinite resources. It will scan, like, maybe the first 2 megabytes or it will scan, like, Properties. It will try to use as little resources as possible. In this case, they are padding the file with a bunch of dummy, zeros, ones, whatever, information, so it initially will bypass that type of detection. This is what we call static detection, but there are other types of detection, for example, heuristics, which is detecting by the behavior of the file or what it's actually trying to do. Cybercriminals and APT groups, they try to avoid detection for as long as possible. I mean, the further down the chain they can go, the more chances of success they have.

Dave Bittner: And what are the core surveillance and system control capabilities that are built into Crimson RAT?

Santiago Pontiroli: I mean, you can do anything with this RAT, to be honest. It's like any remote-control tool that you can think of, like legitimate control tools. Like, for example, I know TeamViewer or AnyDesk, things like that, but actually even more powerful because you can set it up so it takes, like, a continuous, you know, one screenshot after the other, kind of a video, but just screenshots. So actually, it's doing that to reduce the bandwidth usage. You can upload or download files. You can execute commands. You can, for example, kill processes. If you see, like, there is, for example, any detection suite or anything that you don't want to be there while you're doing the infection, APT36, they can just kill the process and, you know, basically manage your computer remotely without even you noticing. There is no visible Windows. There is no trace of anything wrong happening.

Dave Bittner: You mentioned in the research that some of the infrastructure overlaps with previous campaigns. How confident are you in attributing this to Transparent Tribe?

Santiago Pontiroli: In the past, there was a campaign from this same APT. They were using one of the domains for a while. Then they stopped. It was, you know, taken down, and after a couple of years, we are seeing the same domain again used by these guys. Actually, I think it was the IP address that resolved to a bunch of domains affiliated, or actually, that we associated with APT36, so there is a high degree of confidence there in which we can, you know, assess that this is APT36. When you combine that with, you know, the usage of Crimson RAT, the targets, because you are targeting startups in India, when you combine the different, you know, tactics, techniques, and procedures, it's like -- you can never be 100% sure, but you can say like, hey, everything points to APT36 TTPs.

Dave Bittner: Yeah, when we're looking at the broader implications here, is there anything that this campaign tells us about how these espionage groups are adapting their targeting strategies?

Santiago Pontiroli: I, you know, I think it's really interesting because APT36 actually has, again, has been in the game for more than a decade. They are using the same remote access tools that they have been using for over a decade, but they are shifting the way that they try to infect their victims. I think the shift that we are seeing is not so much technical, but I think it's in regards to social engineering, and actually, bypassing the human element. I think, like, APTs evolve targets and tradecraft more than tools. I think that's a common takeaway between what we're seeing in the cyber espionage landscape.

Dave Bittner: For the defenders in our audience, what are your recommendations? How would you suggest that someone best protect themselves against this sort of thing?

Santiago Pontiroli: Do not open ISO files. [Laughter] No, just kidding, of course. You know, it's very difficult to defend against this type of attacks because, again, we are dealing with a targeted attack. I would say there are many layers in which you can stop this attack. We always talk about, you know, the science in depth, thinking about security like an onion, but there are so many layers right now when it comes to endpoint security. I think at the end of the day, you can tell any user, including me, I think we will click in the link. Maybe we will open that attachment because these guys actually know what they are doing and they will craft it, so the chances of you opening it are higher. I would say that you need not only training for the users, but I would say trying to stop the chain at the point where it tries to get out. What I mean by this is the exfiltration phase, and I think it was Rob Joyce from the NSA that said, "If you want to know if we are in your network, just monitor everything that is going out," and I think this is the way. I mean, it comes from someone that knows what he's talking about. I think that's where EDR, XDR comes into play. You need not only detection by static signatures, by heuristics. You need to have visibility over the network as well. [ Music ]

Dave Bittner: Our thanks to Santiago Pontiroli, Threat Intelligence Research Lead from Acronis TRU Team. The research is titled "New Year, New Sector: Transparent Tribe Targets India's Startup Ecosystem." We'll have a link in the show notes, and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tré Hester. Our Executive Producer is Jennifer Eiben. Peter Kilpe is our Publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.