If you connect a USB drive to a device infected with this malware, a copy of the Trojan will silently be installed on it.
The Transparent Tribe hacker group (also known as PROJECTM and MYTHIC LEOPARD) carried out attacks on the governments and military personnel of 27 states, using its Crimson Trojan, designed to infect USB devices and then spread malware to other USB devices connected to the system.
“The Transparent Tribe hackers are focused on surveillance and espionage, and to achieve these goals, the group is constantly developing its toolkit depending on the intended goal," Kaspersky wrote in his blog.
The hackers targeted victims from 27 countries, but most of them were in Afghanistan, Pakistan, India, Iran and Germany.
The attack sequence begins with spear-phishing. The attackers send fake messages along with malicious Microsoft Office documents containing an embedded macro that installs the Crimson Remote Access (RAT) Trojan on the system.
If the victim falls for the ruse and enables macros, the trojan is launched and allows the hacker to perform various functions on the victim’s system, including connecting to a command and control (C2) server to steal data and remotely update malware, steal files, capture screenshots, and also hack microphones and webcams for audio and video surveillance.
According to Kaspersky Lab experts, the Trojan can also steal files from removable media and collect credentials stored in browsers.
The malware exists in three versions that were compiled in 2017, 2018, and late 2019, suggesting that the malware is still in active development. Between June 2019 and June 2020, over 200 samples of Transparent Tribe Crimson components were found.
Trojan distribution map
The Transparent Tribe hackers also use malware such as Crimson for .NET and Peppy for Python. But the most interesting thing is a new attack tool called USBWorm. It can not only steal files, but also infect other vulnerable devices.
If you connect a USB drive to a device infected with this malware, a copy of the Trojan will silently be installed on it. The malware will list all directories on the drive and then hide a copy in the root directory of the drive, changing the directory attribute then changes to "hidden". The Trojan uses the Windows icon to entice the victim to click and execute a payload when trying to access directories.
“This causes all actual directories to be hidden and replaced with a copy of the malware with the same directory name,” the researchers note.
If a USB drive is connected to the infected PC, a copy of the Trojan is discreetly installed on removable media. The malware enumerates all directories on the drive and then saves a copy of the Trojan in the root directory of the drive. The directory attribute is then changed to "hidden" and a fake Windows icon is used to entice victims to click and execute the payload when attempting to access directories.