Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a cyber espionage unit that is linked to the Pakistani government and has been active since at least 2013. The group has been quite active in the last four years targeting primarily Indian military and government personnel, but during the last year, they attacked more and more targets in Afghanistan and their malicious activities were detected in about 30 countries.
Transparent Tribe uses .NET and Python-based custom Remote Access Trojans and develops new utilities for specific campaigns. Typically, attackers send spear-phishing emails containing MS Office documents with an embedded malicious macro that installs the primary payload. The final payload is often the Crimson RAT, but in some cases, researchers found Peppy malware, a Python-based Trojan. Of the group’s unusual utilities, a new USB attack tool dubbed USBWorm is worth noting. It consists of a file stealer for removable drives and a worm module to infect vulnerable systems. New exclusive rule submitted by Ariel Millahuel helps security solutions to uncover malicious campaigns of Transparent Tribe APT: https://tdm.socprime.com/tdm/info/w9JtZ2pcImQs/BDAtJXQBQAH5UgbBZk1v/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Techniques: Command-Line Interface (T1059)