The Operation Transparent Tribe was first spotted by Proofpoint Researchers in Feb 2016, in a series of
This threat actor has vanished for a long period, and only the last month appeared another
|Threat||New Operation Transparent Tribe Campaign|
|Brief Description||Malicious macro document of the new Campaign of Transparent Tribe|
Table 1. Static information about the malicious macro
The document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund). It is a fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary.
The Fund is financial planning for defense personnel. The money is kept by the government and in return, a “non-permanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been set up as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise.
Figure 1: Piece of the malicious document employed in the Op. Transparent Tribe
Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection:
Figure 2: Piece of the malicious macro
The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection.
Then it is possible to deobfuscate them.
Figure 3: Extracted component from the macro
The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”.
Figure 4: Extracted files
Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts:
Figure 5: Content of the “systemidleperf.zip” file
The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file.
Figure 6: SilentCMD main routine
The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp:
Figure 7: Comparison between the two files
The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet:
Code snippet 1
The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives.
|Threat||New Operation Transparent Tribe Campaign|
|Brief Description||Python stub malware of the new Campaign of Transparent Tribe|
Table 2. Static information about the Pyhton Stub
The icon of the executable let us understand that the malware has been forged through the usage of the tool Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code.
So, after the operation of reversing, the extracted code of the malware is the following:
Code snippet 2
The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code.
After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the creation of a LNK file inside the Startup folder.
Figure 8: Persistence mechanism
As previously stated, the malware payload is the core component of the malware implant.
As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2.
The first operation is to provide to the C2 a list of the running processes on the victim machine:
Figure 10: C2 communication
The method used to send the information to the C2 is the following:
Figure 11: C2 communication routine
After that, the malware loops in a cycle and waits for some commands coming from the C2:
Figure 12: Routine for the download of new modules
When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:
The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2:
Figure 13: Evidence of the decrypting routine of the certificate
The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information:
Figure 14: Sending routine of the malware
The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it:
Figure 15: Evidence of the hard-coded AES key
The downloaded code has been encrypted through the Rijndael algorithm with a hard-coded key.
The Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The decoy document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund) a providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign.
At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries.
Additional technical details, including Indicators of Compromise and Yara Rules, are reported in the analysis published by
(SecurityAffairs – hacking, Operation Transparent Tribe)