Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Cyfirma has revealed all the cards of Pakistani hackers.
Cyfirma conducted an OSINT investigation and identified the infrastructure associated with the Transparent Tribe group (APT36), with a particular focus on command and control (C2) servers. The investigation began after a publication in X by a @PrakkiSathwik security expert who discovered two IP addresses associated with the group's C2 servers – 206.189.134.185 and 143.198.64.151.
The starting point of the study was the IP address 143.198.64.151 registered on the DigitalOcean platform (ASN AS14061). This IP was identified as a Mythic C2 server running on ports 22 (SSH), 80 (HTTP), and 7443 (HTTPS). Mythic is a feature-rich post-operational framework designed for team exercises, but also often used by attackers.
To identify other servers associated with this infrastructure, server scanning and analysis tools such as JARM (to determine TLS configurations) and HTML title metadata were used. As a result, experts identified 15 IP addresses also registered on DigitalOcean and associated with the Mythic framework.
The attack was found to use Linux desktop entry files disguised as PDF and spreading malicious code. These files were first spotted in India, indicating a possible target of the campaign – that of Indian users and the organization. This is consistent with the history of Transparent Tribe activity, which is known for attacking Indian government structures through phishing and other attack vectors.
Transparent Tribe makes extensive use of Linux environments, given their widespread use in government organizations in India, especially those based on Debian operating systems such as BOSS OS and Maya OS.
As mentioned above, the investigation identified 15 IP addresses associated with the use of Mythic and Poseidon agents. These addresses function as C2 servers, allowing the attackers to take control of the infected systems.
APT36, also known as the Transparent Tribe, is a group believed to be based in Pakistan that has been active since 2013. Despite its limited technical capabilities, the group demonstrates perseverance and constant development of tactics. The main targets are the government, defense and educational structures of India.
During the attacks, attackers use phishing and distribute malware using Linux binaries and open source tools such as Mythic. The methods they use allow them to bypass traditional security measures and ensure constant access to infected systems.
Cyfirma's investigation provided valuable insights into Transparent Tribe's infrastructure and practices, allowing security professionals to better understand the threat and respond quickly to potential attacks.
Source
Cyfirma conducted an OSINT investigation and identified the infrastructure associated with the Transparent Tribe group (APT36), with a particular focus on command and control (C2) servers. The investigation began after a publication in X by a @PrakkiSathwik security expert who discovered two IP addresses associated with the group's C2 servers – 206.189.134.185 and 143.198.64.151.
The starting point of the study was the IP address 143.198.64.151 registered on the DigitalOcean platform (ASN AS14061). This IP was identified as a Mythic C2 server running on ports 22 (SSH), 80 (HTTP), and 7443 (HTTPS). Mythic is a feature-rich post-operational framework designed for team exercises, but also often used by attackers.
To identify other servers associated with this infrastructure, server scanning and analysis tools such as JARM (to determine TLS configurations) and HTML title metadata were used. As a result, experts identified 15 IP addresses also registered on DigitalOcean and associated with the Mythic framework.
The attack was found to use Linux desktop entry files disguised as PDF and spreading malicious code. These files were first spotted in India, indicating a possible target of the campaign – that of Indian users and the organization. This is consistent with the history of Transparent Tribe activity, which is known for attacking Indian government structures through phishing and other attack vectors.
Transparent Tribe makes extensive use of Linux environments, given their widespread use in government organizations in India, especially those based on Debian operating systems such as BOSS OS and Maya OS.
As mentioned above, the investigation identified 15 IP addresses associated with the use of Mythic and Poseidon agents. These addresses function as C2 servers, allowing the attackers to take control of the infected systems.
APT36, also known as the Transparent Tribe, is a group believed to be based in Pakistan that has been active since 2013. Despite its limited technical capabilities, the group demonstrates perseverance and constant development of tactics. The main targets are the government, defense and educational structures of India.
During the attacks, attackers use phishing and distribute malware using Linux binaries and open source tools such as Mythic. The methods they use allow them to bypass traditional security measures and ensure constant access to infected systems.
Cyfirma's investigation provided valuable insights into Transparent Tribe's infrastructure and practices, allowing security professionals to better understand the threat and respond quickly to potential attacks.
Source
