Part 1: A High-Level Study of CrimsonRAT Infrastructure October 2020 – March 2021
INTRODUCTION
Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan, the latter of which points towards the assumed attribution of Pakistani intelligence. Tools used by this group include CrimsonRAT, ObliqueRAT, PeppyRAT and AndroidRAT, with most campaigns discovered relying on spear-phishing and social-engineering of victims. Over the coming months Team Cymru’s S2 analytic unit will be focusing on the infrastructure behind these known toolsets.
This is the first article of a two-part series on Transparent Tribe’s CrimsonRAT infrastructure.
We have been tracking CrimsonRAT , Transparent Tribe’s most ubiquitous remote access tool, over a number of months. This blog will present our high-level observations based on a study of 23 CrimsonRAT command and control (C2) servers. Our intention is to provide supporting context to existing Transparent Tribe reporting and IOCs, to aide in future threat reconnaissance activities against this group.
KEY OBSERVATIONS
C2s hosted with a number of different VPS providers – most commonly Contabo, ColoCrossing, Pi Net and QuadraNet.
Port 3389 was observed open on 83% of the CrimsonRAT C2 servers.
A total of 62 distinct beacon ports were observed, with minimal evidence of port re-use across C2s
Traffic to ip-api[.]com, used in the IP geolocation of victims, noted from C2 172.245.87.12
A review of a recent Transparent Tribe campaign reveals the targeted nature of the group’s activities.
Figure 1: Summary of Findings
Please note that details of all 23 CrimsonRAT C2 servers are provided in the technical appendix at the end of this blog.
CRIMSONRAT C2 HOSTING
When examining the IP attribution of CrimsonRAT C2 servers, it is apparent that TRANSPARENT TRIBE actors have sought to spread their infrastructure across a number of distinct providers, likely to provide some resilience to their operations. Whilst eight different providers were observed (Figure 2), there was a degree of preference noted for Contabo (5 servers), QuadraNet (4), Pi Net (4) and ColoCrossing (3).
Figure 2: Summary of Hosting Providers
When actors consider which hosting provider to use, many factors likely enter their decision-making process; accepted payment methods, geographical diversity, local privacy laws, and the probability of law enforcement disruption, to name a few.
One caveat for these findings is that whilst specific providers have been mentioned, based on available Whois information, in some cases the ranges used by Transparent Tribe may have been sub-leased to other providers.
PORT 3389
When reviewing open ports on the CrimsonRAT C2 server set, Port 3389, commonly associated with the Remote Desktop Protocol (RDP), was observed open in 83% of cases (19 of 23). Whilst this finding may be coincidental, the observed prevalence suggests it is a possible prerequisite for the functionality of the C2 server or it’s administration.
Transparent Tribe are known to run different versions of a .NET application which acts as the CrimsonRAT command-and-control panel. This is a GUI application which is used to manage components of the tool on victim hosts (see https://securelist.com/transparent-tribe-part-1/98127/). As an interactive session is required to interface with this application, one hypothesis is that the actors require RDP access to the CrimsonRAT command-and-control panel.
Furthermore, the majority of CrimsonRAT servers were found to be running Windows Server 2012R2.
We are currently conducting an analysis of ongoing and historic connections to CrimsonRAT C2s on Port 3389. The goal of this analysis is to identify any potential uses by Transparent Tribe actors (thus identifying higher order infrastructure), as well as separating this activity from the regular scanning of Port 3389, which takes place on the Internet every day.
BEACON PORTS
A typical CrimsonRAT payload can have up to five pre-configured callback ports for communications with the C2 server. We have witnessed minimal evidence of port re-use across samples and the C2s we have analyzed, with only four ports being used more than once: 3878, 4586, 6818 and 8666. It’s possible these ports are seemingly randomly selected by the operator.
In total, 62 distinct beacon ports were identified across the 23 C2 servers, from the lower end of 2991 to the higher end of 54131 – although the majority of ports were clustered between 2991 and 17443.
C2 172.245.87.12 (IP-API[.]COM USAGE)
In addition to inbound victim traffic to C2 172.245.87.12 (AS-COLOCROSSING, US), we also observed outbound connections to ip-api[.]com (208.95.112.1) on Port 80, during the period 12 December 2020 – 06 March 2021.
This finding supports the presence of server version ‘A’ (as described in the aforementioned Securelist blog) on this particular C2 – which is known to use ip-api[.]com for performing IP geolocation lookups of victims when they beacon in.
Our own analysis of the CrimsonRAT server source code identifies that the ip-api[.]com lookup occurs automatically when a new victim calls into the controller and that these results are then cached so that further lookups are not required. These lookups can therefore be represented as evidence of ‘new’ victims with associated timestamp information providing an indication as to when an initial compromise has taken place. It is possible that multiple lookups could occur for the same victim when their IP address changes due to dynamic assignments.
Based on our coverage of C2 172.245.87.12 we see victim IPs assigned to Indian providers beaconing to the configured ports (as described above). Therefore, using a conversion from UTC to Indian Standard Time (IST) – UTC+05:30, we can see that victims have been newly compromised during ‘usual’ office hours:
Time Correlation:
2020-12-12 03:39:17 UTC = 09:09:17 Local IST
2020-12-30 07:28:02 UTC = 12:58:02 Local IST
2021-02-04 07:53:52 UTC = 13:23:52 Local IST
2021-02-23 03:51:31 UTC = 09:21:31 Local IST
2021-03-04 12:10:54 UTC = 17:40:54 Local IST
2021-03-06 04:15:27 UTC = 09:45:27 Local IST
2021-03-14 09:59:47 UTC = 15:29:47 Local IST
These findings are caveated by the limitations of our coverage, i.e., these findings are accurate based on the traffic we have observed – other compromises may have taken place outside of these hours.
VICTIMOLOGY
A recent Transparent Tribe campaign, targeting the Indian Air Force (IAF), was used to provide an example of victimology.
On 24 March 2021, a Transparent Tribe lure document (Figure 4) was disclosed on Twitter, comprising a PowerPoint presentation for an IAF/industry collaborative event – ‘INDISEM-2021’.
The objective of this event was to purportedly identify organizations in India’s commercial sectors capable of undertaking maintenance contracts for the IAF fleet.