BSidesCharm 2022 - The tribe and the copycat – A look into Pakistani APT campaigns in recent years

all right i guess we'll start now um okay hello everyone welcome to my talk uh is there an echo do you hear an echo okay cool all right okay probably all right so um i know it's after lunch and um so i'm gonna keep it short light and sweet um i'm gonna take about half an hour to go through my presentation and then we can have a discussion or any questions that you might have um so today i'm gonna be presenting on the tribe and the copycat we're going to be taking a look into pakistani apt campaigns in recent years specifically from 2020 into 2021 and then 2022. before we start for those of you that

don't know me my name is ashir malhotra i'm a threat researcher at cisco talos i specialize in malware analysis reverse engineering and threat intelligence these days i work on a variety of apt disclosures everything i track everyone from the north koreans to the chinese to the pakistanis i am located in maryland out of the fulton maryland office that is where we the headquarters for cisco talos is all right so on today's agenda we're going to go through an introduction i'm going to tell you a little bit about pakistani hacking operations that are state-sponsored we're going to take a look at two key apt groups here transparent tribe and side copy and then i'm going to summarize by talking about

the similarities and the differences between these two groups so before we begin by a show of hands how many of you know what an apt is an advanced persistent thread all right that's pretty cool so for those of us that don't know an advanced persistent threat is a threat actor or a hacking group that is usually affiliated with the government you know they're sponsored by a government in some some some form or the other and they do the bidding of the nation state in one form or the other um it's it's debatable whether they're advanced or not there are certain apts that are not really advanced they're just regular hacking groups and some of them are really really advanced so

um we'll see that um the pakistani apd groups that i'm going to be discussing here today they're not really advanced they're kind of sort of like tier 3 apd groups so yeah let's begin pakistani nation state operations have been active since at least 2015 and 16. they were first disclosed by proof point in 2016 as part of a report called operation c major their operations consist of two key apt groups one of them is transparent drive and the other one is side copy so the leopard on the screen represents transparent tri because they're also called mythic leopard and then the side copy this two computers representing side copy because we're just trying to show that they copy

so transparent tribe is the og apd group they are the ones that started operations for pakistan for the pakistani government in 2016 and they have not lost momentum since then like we see a new campaign every every three or four months operated by transparent tribe ever since 2016. so they've really upped their game since you know 2016 in the past six years or so side copy is the new kid on the block we first found them in operating in 2019 um they started uh proliferating themselves and their infection chains in 2020 uh their targeting absolutely exploded in 2021 and they continue to do so in 2022 as well now the the thing about the most interesting

thing about both of these groups is that you know i spoke about advanced in advance persistent threat they're not really advanced and you know we look at their implants a little bit and we'll look at their infection chains but they're not they don't really run cutting edge operations um you know in spite of transparent tribe being operational for like seven six or seven years now they still want to do what what works best you know they don't want to put a lot of effort and you know infect targets at the same time which is why i feel that they are a tier 3 apt now what they lack for in technical skills they make up for in motivation

and perseverance they are extremely aggressive when they try to infect their users and their targets and i'll show you some examples of that since these are pakistani groups they have a very special interest in india and afghanistan and pakistan we've seen them deployed target malware against targets that that are domestic targets as well you know for domestic surveillance as well all right let's take a look at transparent drive now transparent tribe has been extremely prolific they're extremely aggressive when they try to infect their targets uh over the few years you know that they've been operating they have had a great degree of success with very little technical expertise if i may say they have a very special interest in

india and afghanistan as i said they try to go after military diplomatic entities in in these two geographies in pakistan we've seen sporadic instances of individuals being targeted that are more related to um you know human rights activists and stuff like that humanitarian the the individuals that are performing humanitarian efforts now a transparent tribe likes to use two key malware families one of them is called crimson rat and they absolutely love this malware family this is their go-to malware family it's a c sharp based net based custom uh remote access trojan uh with a wide variety of capabilities uh these days they don't put a lot of effort into putting in features into the rat family because you know it's already

packed with so many features so these days they just put an effort to obfuscate the rat family so that analysis and identification becomes difficult for them so about an about 95 of their infection chains 95 percent of their targeting results in an infection with crimson rat other than crimson rat we've also seen oblique rat this is a sea based uh remote access trojan that was disclosed by talos in 2020 it's still evolving every every every every quarter or so we see an addition of like a couple of features into this rat family uh the thing about this rat is that it's it's used in highly targeted attacks they will use it they will use the strat

family very very judiciously uh it's not like crimson rat they will they won't just willy nilly distribute it they know exactly what they want they they know exactly who they want to infect and then they'll deploy oblique rat against the targets all right so let's take a look at the hosting infrastructure so the hosting infrastructure for transparent tribe is interesting because they have a two-pronged approach the first approach that they have is that they will register fake domains that masquerade as those of legitimate entities so they'll pick up a defense contractor um you know they'll create a typo squatted domain for the defense contractor that operates out of india or afghanistan and they will clone

the entire website of that contractor for example and then they will host that website on their domain and they will also use that website for hosting malicious artifacts that participate in their infection chains i'll show you an example of this in the next slide as well uh the second approach that transparent tribe loves to take is that they use media and file sharing websites you know these are websites that masquerade or look like um cms websites something like dropbox or like onedrive or you know something else and a good example of that is a domain like dropbox.cc it looks like dropbox.com but it's not it's actually operated by these attackers and they use it to host malicious artifacts on there

all right let's go through a few examples so i've got three examples on the screen here of fake domains that they've created uh they like to create fake domains for a variety of um you know for a variety of their targets and and entities that they try to impersonate we've seen uh fake domains and websites being created sorry for defense contractors and think tanks and even government themes team themed websites uh the first two screenshots that i have on the screen are basically it's a it's it's taken from a website that they operated uh and they basically cloned a legitimate website called with a tool called hd track and they set it up so if you open up the

the fake website in the browser it looks legit um the second screenshot the one in the blue the one with the taj mahal in the in the back uh this is a fake website that they set up for the employees of the government of india and it the download now button basically downloads a malicious xls file and an excel sheet and you when you open it up it gives you a bunch of data about the different page pay grades in the indian government but it also ends up infecting you with crimson rat so all right let's take a look at the lures and targeting now um we've seen a variety of lures and a variety of themes being used against the

malicious documents that a transparent tribe aims to distribute against their targets we've seen this defense themed malicious documents we've seen them targeting conference attendees we've seen diplomatic themes and we've even seen honey traps as well in terms of defense themed uh documents um so i've got i've got an interesting example here this is an email a phishing email that consisted of a malicious document this this malicious document basically contains malicious macros that in turn deploy crimson rat onto the infected endpoint this exact email was sent out by the attackers to defense advisors stationed in indian embassies in southeast asia so you know it looks very very innocent it looks very benign you you can't figure out what's going on

or whether this is malicious or not just by looking at the email and then when you open up the document um you know you end up getting infected with their implant in terms of conference attendees they like to target people like you and me you know people who attend different types of conferences especially trade conferences defense related conferences and even humanitarian conferences we've seen an extensive targeting of humanitarian conferences in afghanistan especially before you know the taliban took over the country by a transparent tribe the screenshot that i have on the screen is an example of a malicious powerpoint presentation uh that was created by the attackers and distributed to attendees of the conference known as indie sem 2021 this

is a conference that is owned and operated by the indian air force uh for those of you that that are wondering uh that's the sukhoi 30 that's draped in the indian flag so you know they try to make it look as legitimate as possible you know their their content and their layers okay so in terms of diplomatic themes uh we've seen an extensive targeting of indian and you know afghani uh agencies but what's um what's also interesting is that we've seen non-indian diplomatic agencies being targeted as well for example in in 2020 um in august 2020 in september 2020 the attackers sent the sent employees of the british high commission in in pakistan a malicious

archive that consisted of a ton of copies of crimson rat so you know you just have to click any one of them and you'll get infected by them and that's the first screenshot on the screen we've also seen sporadic targeting of agencies located out of iran the islamic republic of iran but these are one-off cases primarily their targe their targeting is focused towards india and afghanistan okay honey traps so transparent tribe loves to use honey traps this is a direct translation of spying and espionage operations from their intelligence services into the cyber rail usually they will send you files that have icons with alluring or enticing photos of women and they will ask you to

click on them and you know you get you end up getting infected by them um they also love to send people you know to send targets copies of resumes of women so that people end up opening them and they get infected by malware as well um this is this is a favorite technique of that there's like they love doing this and we we and incidentally side copy also loves doing this they will contact their targets through social media websites like facebook and talk to them establish trust and then end up sending them like a resume or a file that says hey these are my pictures you want to take a look at them and then you know people end up

getting infected by them okay so let's talk about transparent tribes latest campaign this was disclosed um i think this month to last month uh by cisco um in this specific campaign we saw a shift in the way the the apt group operates usually and by far about in 90 percent of the cases transparent tribe will use malicious documents that act as entry vectors into their infection chains in these cases however we saw the group use fake installers that were disguised uh as installers for applications that are used by the government of india and employees of the government of india so you see that you see the the screenshot in white that says coverage authentication uh coverage is a

two-factor authentication software that is created by the government of india and it is used by the government of india's employees to you know login into their emails and their internets and such so the way this infection chain works is that you get the fake installer you execute it and it downloads and executes crimson right onto your system and then at the same time it downloads a legitimate copy of the the you know the application that it's masquerading as and then sets it up on the system as well um in this specific campaign uh we saw the use of a new lightweight.net based uh implant as well and i call it lightning lightweight simply because it

doesn't have as many capabilities as crimson rad because crimson rat is packed with capabilities uh so honestly i feel that the attackers are now trying to refresh you know their infection chains they're also moving to a use and throw tactic where they will use a new lightweight implant for a campaign and once the campaign has run its course they will throw it out and they will move on to another set of implants for the next campaign am i going too fast is this okay is this enough to digest okay i tend to get go fast when i get really excited so okay so in 2021 we also saw the diversification of their entry vectors you know they love using maldox and even

today you know they they still use malicious documents to infect users with crimson riot and oblique rat but as part of this latest campaign in around around june 2021 we saw them start to experiment with different entry vectors you know these are basically files that are the beginning of the infection chain we saw them use image files img files we even saw them use vmware hdx files i don't know why honestly why they were doing that but maybe it was effective we saw them use rar archives hosted on cms legit cms services like google drive and you know onedrive etc and then in january and february we saw them start using fake installers for different types of applications and that

has that that practice has uh continued into march and april as well yes you had a question files or anything like that no not yet not that i've not that i've known of what's what's interesting about these um these both of these apt groups is that they don't like implement experimenting a lot so um you know anything that works for them they will continue to use those tactics for years and years and years and i don't know why that is maybe they don't want to be agile maybe they're too bureaucratic an organization of you know it's that's just up for speculation but that's something that we've observed in the past as well so they don't like experimenting a lot

honestly uh for example we haven't seen them use any sort of zero-day exploits uh over the course of their campaigns over the past five or six years so you know they're like hey if malicious documents that contain macros work for us then why not why should we invest in finding zero days so and that kind of makes sense you know whatever works for you so all right let's take a look at side copy now site copy is the new kid on the block the new addition to the family um when as i go through side copy you will realize that a lot that side copy is very very similar to transparent tribe but i still want to go through it

and i still want to talk about it because there are some key similarities between the two groups but there are also some key differences which is why we're tracking them as two separate entities and we haven't merged them into the transparent tribe umbrella right so in terms of targeting trans uh sorry side copy also targets the indian subcontinent they will go after india and afghanistan and pakistan they will target government entities they love going after military and diplomatic targets for some reason um well that's espionage so okay so here's an interesting fact so the name side copy comes from the fact that this apt group loves to copy tactics and techniques from an allegedly indian apt group

called sidebinder so uh this is funny and not ironic cause you know um at one and at one end you've got site copy which is a pakistani apd group and then you've got sidewinder which is an indian apt group and they're both adversaries of each other but they love copying from from one another so basically their infection chains are very similar it starts out as a shortcut file or an lnk file a link file and what follows is different components of the cactus torch offensive framework along with side loading of dlls etc but the final payloads are very different in the case of side copy and sidewinder in the case of side copy now side copy loves using two implants

one is called satarat i know this isn't a cool name i'm very bad at naming malware implants uh it's a c sharp based custom rat family it is the most widely used rat family for side copy in fact side copy love cedar red so much that sometimes they will deploy twice on an infected endpoint without realizing that they've deployed the malware twice on the actual endpoint uh the second uh rack that they love is aliko rat this is a commodity rat it's been available in the while since 2017 it's a delphi based rat it's it's very easy to um to to operationalize you know to configure to operationalize and to deploy you know as in the case of a lot

of commodity rats uh we have seen alako rat being progressively being used with satarat you know increasingly being used with satarat over the course of the past uh couple of years as well now in 2021 uh we saw an explosion of rat families being used by side copy we saw the introduction of another ad family called data rat it's pretty similar to satarat but it's not quite the same which is why we gave it a different name we saw them using reverse rat which is basically a reverse shell created in c sharp and it's got some other functionality in inside of it as well then we saw the attackers deploy margulis rat which is yet another ad in c sharp

then there came action rat which is a rat that looks like alicor but it's not quite um it's this is a custom bespoke implementation of a delphi based and a c-sharp base track which we're calling action rat and then we saw a number of commodity rats like nj rat and lilith and epicenter being used by the attackers at some point in time against their uh their targets now we also found many components many supporting components used in their infection chains that we can't quite term as uh full-fledged implants which is why we're calling them plug-ins so we found different kinds of plug-ins like you know file managers and browser credential stealers and key loggers of

different types you know like sheetan and law these are commodity key loggers that are available online and then we also found a golang based component that we call nodaci this component is mainly geared towards uh stealing um browser credentials and login information and you know wi-fi credentials as well it uses a library called google lasagna um and um we also saw the attackers try to uh use this implant sorry this plug-in for uh exfiltrating different types of files that were of interest to them so you know something like the backup database for the two-factor authentication application that's used by the government of india so they were specifically looking for those types of files that they wanted to exfiltrate

now um side copies sidecorp is a very new group right it's the so it it it's very obvious that they'll be highly motivated as well you know they want to prove their uh significance they want to prove their metal and which is why they took their operations a step further side copy will actively try to harvest credentials for their targets and they have spa they've set up like a ton of websites like they said hundreds and hundreds of phishing websites that they send out to their targets and uh on the screen i've got an example of that this is a fake page for the webmail of the government of india and they send it out

to a target and then you know they get tricked into putting in their credentials and they can harvest those credentials okay so now let's take a look at their let i'll take a very quick look at their lures and decoys if you take a look at this list it's very similar to that of a transparent tribe you know the defense theme think tanks diplomatic themes and even honey traps that's that's because um here's what i feel um they're two separate entities but they have the same set of goals they answer to the same set of people which is why they conduct different operations operations that are different technically but they have the same set of people that they want to infect

all right so yeah this is a defense themed uh document that they used as a decoy from 2021 january 2021 and this is from this is this is a document that they obtained from the indian army through some means and they started using it as a decoy and it's basically a list of it's a seniority list of officers and one of their commands in the in the indian army now um they sidecopy loves to go after think tanks as well just like a transparent tribe we've seen them target different uh individuals associated with different think tanks that are associated with the indian military some of the think tanks that were targeted are claws sanjo's and orf claus

is the center for land and warfare studies uh senjo's is related to the indian army as well um this is this too long an abbreviation for me to remember honestly so oh wait i've got it on my notes center for joint warfare studies oh it's it's directly sponsored by the indian army and then you've got the orf which is the open research foundation the screenshot on the screen that i have for you is an article from february 2021 by the orf it was published in in their in their journal and it was geared towards their readers and this infection chain well this decoy is used ultimately results in the deployment of nj rat on the victim's endpoints

in terms of diplomatic themes so so far i've been showing you a lot of malicious documents and lures that are related to india but i wanted to show you something about afghanistan as well so this is a lure and a decoy that was used by side copy where uh you know once the infection is successful they would show this decoy document to their victims and it's basically from the high council for national reconciliation in afghanistan and um this was this is a council that was established for reconciliation between the previous government of afghanistan and the taliban so you know they actively target um afghanistan afghani agencies as well and similarly we've got honey traps this

is they have a very close resemblance with transparent tribe as well uh the example that i have here for you guys is uh is of an afghanistani individual it's a lady and they have you know they used her resume to try to infect their targets it's very similar transparent tribe also tends to use resume themed and you know i guess side copy has learned from that and they're now adopting the same technique and the same tactic okay i've been going too fast and i'm sure you guys are falling asleep so i'm going to summarize now i promise this is going to be like three slides i promise okay so there's a lot of similarities between

side copy and transparent tribe right like the kind of people they target the tactics they use the lures that they use so it's a very fair assumption to um to think that they're both the same right and there are similarities to support that assumption as well they target the same geography they go after india and afghanistan and even pakistan they have very similar themes in their lures and their decoys they go after defense and diplomatic and you know they use honey trap tactics as well in terms of technical operations we've seen both the apt groups use the same vps providers like contebo and others and they love cloning websites of interest this is another tactic that

they share with each other however um there are some key differences first of all they operate a very different suit of malware we haven't seen a lot of code similarities we haven't seen a lot of similarities in the way the malware has written you know there's a specific coding style when somebody's writing code and both uh the malware for both these apts are very mutually exclusive from each other and that includes their infection chains as well um you know transparent tribes infection chains are usually very short and sweet to the point they don't want they want to be as healthy as possible side copy on the other hand is you know they're still learning if

if i'm being tactful about it in terms of operational security transparent tribe is way more mature like they will conduct their operations so that things can't be traced back to them side copy is still learning that there's some operational mistakes that they make that makes you feel that you know they're still learning you know there's still some noobs in that group also we haven't seen any technical infrastructure and overlap between these two groups between the domains and the ip addresses and the cnc addresses that they operate we've hardly we've never seen any um you know overlap between them which suggests that the two distinct groups that are operating uh with each other you know they're operating alongside each other

but they have their own teams and their own ways of getting things done and that brings us to the end of the presentation um so i've got i've got a few links for you on on the screen um the these this is the research that we've done over the years tracking both of these groups and and their different campaigns as well and with that um i will open this up for for any questions that you have might have for me any feedback any blessings any beer i'll take it all

um so it it's it's not really significant but it shows a preference in their coding styles as well you know everyone has a different coding style um a lot of new age apt groups you know especially when they're in the learning phase of when they're in a very nascent phase of their operations tend to focus on technologies that they can understand and i'm sure c plus c sharp is way more easier than c and c plus plus so i mean maybe that's just a design choice so sure do you have a question uh yeah i just want to say uh thank you proxy fuzzer okay um welcome i have no idea what they are i'm i'm honestly i'm not a product guy i

just track uh apts that's all i do for for a daily basis but yeah i'll i'll take that forward i'll take that forward yeah yeah i'll take that as a win

so uh they they tend to use a lot of different kinds of vps providers but contaibo is the one that they absolutely love um they will set up oh yeah so here's an example of um here's an example of the domains they set up so they will set up short and sweet domains that look like they're very very benign and they're very inconspicuous if i may say but um you know they actually end up serving malware also um they don't care about disclosures no matter how how many times we go after them know many times no matter how many times we disclose their operations they will continue to use the same domains again and again and

again like i don't know whether they're just being lazy or you know they just don't give a i don't honestly i don't know like like some of the websites that i've listed here and some of the screenshots that i've shown here i'm pretty sure they're active even right now like i can and they're serving the same documents even now so it's frustrating at times

right so we've been tracking them for a long time so we have some amount of institutional knowledge as well but we also rely on a lot of open source reporting from other firms as well and uh that's basically what we do so you know for example a transparent tribe has been attributed to pakistan again and again and again and crimson rat for example is not a commodity right so you know an infection chain that usually leads to crimson rat is associated with transparent tribe in one form on the other um in terms of side copy we've also done pretty much the same thing we know that side copy is associated with a transparent tribe they use the same kind of tactics and

they use you know the same kind of techniques as well so i guess i guess that's what i'm trying to say we rely on a lot of institutional knowledge as well also we rely a lot on our telemetry as well so we've tried to figure out who uh who's being attacked who the target is you know that's a very big uh part of who's being attacked and then we also have to figure out you know what geography is being attacked you know how anomalous is this you know if you see crimson rad being target used to target um say a completely different country it's an anomaly we will still consider that but we have to

um you know consider all the facts and consider the possibility that um you know this might be a the result of leak in some cases so all of that needs to be considered and then we you know do the attribution bit of it

the chinese like to conduct their own operations yeah they're very possessive about them yeah honestly i don't i don't know um what goes on behind the scenes but uh i'm not really sure how much of a con how much how confident the chinese are uh with the pakistanis with sharing the their infrastructure and their ttps you know apds usually don't tend to do that unless there's a leak i hope not uh

yeah they do that all the time they do that all the time but they're very trivial honestly it's it's nothing that you can't defeat if you look at the malware manually so you know there's always a weight around it but they do do that

well um so they they tend to um they tend to try to detect if there's a specific av running in that specific geography so you know how specific av software is popular in specific geographies so i'm not going to name names but they try to detect those and they're like oh you know if it's being detected maybe we should um nope the hell out of there or otherwise they're like oh we'll take in some infection chains they're like oh yeah we'll take a note of it and you know so that we can find a way to defeat this av in the future and then use that in our infection chains that's it am i missing someone

okay thank you so much for tolerating this presentation thank you so much [Applause] 23 minutes okay