Transparent Tribe Launches Cyberattacks Against Diplomats and Military Personnel in 27 Countries

The cybercriminal group known as Transparent Tribe (also referred to as PROJECTM and MYTHIC LEOPARD) has orchestrated malicious campaigns targeting diplomats and military personnel across 27 countries. Most of the victims are located in Afghanistan, Pakistan, India, Iran, and Germany. The attackers have developed a new tool designed to infect USB devices and spread malware to other systems.

Attack Chain and Infection Methods

The attack sequence begins with targeted phishing. Fraudulent emails are sent containing malicious Microsoft Office documents embedded with macros that install the Crimson Remote Access Trojan (RAT). This trojan is capable of a wide range of functions, including connecting to a command-and-control (C&C) server to steal data, remotely updating malware, taking screenshots, and hacking microphones and webcams for audio and video surveillance.

Capabilities of the Malware

According to experts from Kaspersky Lab, the malware can steal files from removable drives, perform keylogging, and steal credentials from browsers.

Malware Variants and New Features

Transparent Tribe also uses other malware such as Crimson (based on .NET) and Peppy (based on Python). In recent attacks, the criminals have added new functionality to the Crimson trojan called USBWorm. This feature consists of two main components: a tool for stealing files from removable drives and a worm function for infecting other vulnerable devices.

How USBWorm Spreads

If a USB drive is connected to an infected PC, a copy of the trojan is silently installed on the removable device. The malware lists all directories on the drive and then saves a copy of the trojan in the root directory. The directory attribute is then changed to “hidden,” and a fake Windows icon is used to trick victims into clicking and executing the payload when they try to access the directories.