The Pakistan-India rivalry has been going on for some time now, not just in sports events but also online in the form of cyber attacks. Zscaler ThreatLabz has been monitoring a result of this ongoing friction—Transparent Tribe, also known as “APT-36”—since the start of this year.

In the past, the threat group relied on malvertising and phishing to steal confidential information from their target Indian governmental organizations. They’ve seemingly upped the ante just this month with new tools, tactics, and procedures (TTPs), including abusing the legitimate Kavach app and Google Ads and using a new exfiltration tool dubbed “Limepad.” Given all that, the researchers published 15 domains as indicators of compromise (IoCs), namely:

• xlapp[.]workbooks[.]open
• kavach[.]mail[.]nic-updates[.]in
• kavach[.]mail[.]gov[.]in
• wzxdao[.]com
• nic-updates[.]in
• ncloudup[.]com
• kavachsupport[.]com
• kavachguide[.]com
• kavachdownload[.]in
• kavach-app[.]in
• kavach-app[.]com
• getkavach[.]com
• get-kavach[.]in
• gcloudsvc[.]com
• acmarketsapp[.]com

In an effort to make the Internet transparent and safer, we used the domains above as jump-off points to conduct an in-depth IoC expansion analysis aided by our WHOIS, IP, and DNS intelligence sources. Our investigation revealed:

• 13 IP addresses to which the IoCs resolved
• 1,511 domains that shared the IoCs’ IP hosts
• 687 more domains that shared the IoCs’ strings—“kavach,” “wzxdao,” “nic-updates,” “ncloudup,” “gcloudsvc,” and “acmarketsapp”
• 62 unredacted registrant email addresses from the additional domains’ current WHOIS records
• 11,592 more domains that shared the newly found artifacts’ registrant email addresses
• 31 malicious artifacts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Our Closer Look Revealed

We began our foray into the public IoCs by subjecting them to DNS lookups that showed they resolved to 13 unique IP addresses, seven of which are:

• 172[.]67[.]130[.]228
• 104[.]21[.]3[.]152
• 176[.]57[.]188[.]221
• 65[.]108[.]136[.]118
• 172[.]67[.]195[.]216
• 104[.]21[.]52[.]54
• 164[.]100[.]15[.]168

These IP addresses were mostly concentrated in the U.S. though one host each traced their origins to four other countries—Germany, Finland, India, and the Netherlands. Given the attack’s target—Indian governmental organizations—the use of these locations could be a ploy to mislead investigators regarding the attackers’ actual origins.

Using the IP addresses above as reverse IP lookup search terms allowed us to collate 1,512 possibly connected domains.

We noticed unique strings from among the IoCs, including “kavach,” “wzxdao,” “nic-updates,” “ncloudup,” “gcloudsvc,” and “acmarketsapp” and used these as Domains & Subdomains Discovery search terms to gather more potentially related artifacts. That led to the discovery of 687 more domains, some of which also contained interesting strings like “insurance” (e.g., insurancekavach[.]com) and “corona” (e.g., coronakavachapp[.]com). These could figure in attacks targeting insurance companies and their employees and customers or people in search of COVID-19 related information.

Here is an overview of the additional artifacts that contained the same unique strings seen among the domains identified as IoCs below.

A bulk WHOIS lookup for the 600+ domains allowed us to uncover 62 unredacted registrant email addresses, seven of which appear to belong to legitimate businesses so they were excluded from our next step. As the remaining 55 email addresses could belong to potential attackers given their ties to the IoCs, we subjected them to reverse WHOIS searches, which gave us 11,592 more domains.

Further scrutiny of the 11,000+ domains showed that 1,086 of them had retrievable WHOIS records. In addition, a majority of them (399 domains) identified Iceland as their registrant country, followed by the U.S. (291 domains), Canada (23 domains), India (16 domains), and China (11 domains). These locations, apart from the U.S. and the Netherlands, didn’t match the top 5 IP geolocation countries.

Screenshot lookups for the 11,000 artifacts also showed interesting results, possibly worthy of monitoring for security reasons. Some of them could be mimicking legitimate business websites like those shown below.

Note that Citizens Bank exists but the site above isn’t its homepage.

Moneysmart.gov.au’s website warns users of transacting with “Alliance FX Capital Ltd.” as it could be involved in scams. It is, in fact, one of the companies users shouldn’t deal with.

Despite the presence of “Apple” in the domain and the company’s logo on the webpage, it has no apparent connection to Apple, Inc. Even though the site’s owner may not have created it to lure potential attack victims in, they could be considered guilty of copyright infringement.

More than expanding the publicized list of IoCs with possibly connected artifacts, we were also able to identify 31 additional domains that should probably be included in blocklists, as our bulk malware check showed they were confirmed as either malware hosts or known spam sources.

Our deep dive into the digital breadcrumbs that the Transparent Tribe actors could have left allowed us to determine that potential targets should probably include 13 IP addresses and 13,758 domains to their monitoring lists and 31 domains in their blocklists to ensure utmost protection against the threat. Also, apart from Kavach and Google Ads, the group could also abuse Citibank (allcitibank[.]com), Amazon (amazoncloudupdater[.]net), and Digital Ocean (digitaloceancloudupdator[.]online) and their customers.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.