The Transparent Tribe team is campaigning against government and military personnel, unveiling a new tool designed to infect USB devices and spread to other systems.
The advanced APT team, previously investigated by Proofpoint (.PDF), has been operating since at least 2013 and has previously been linked to attacks against the Indian government and army.
Recently, the APT has turned to Afghanistan, however, researchers have documented its presence in about 30 countries.
Also known as PROJECTM and MYTHIC LEOPARD, the Transparent Tribe is described as a "productive" group involved in "mass espionage campaigns".
The Transparent Tribe focuses on surveillance and espionage, and to achieve these goals, the team is constantly evolving the kit tools according to the target, Kaspersky said in a blog post on Thursday.
The chain of attack starts in a classic way, through phishing email. False messages are sent along with malicious ones documents of Microsoft Office containing a built-in macro that deploys the group's main payload, the Crimson Remote Access Trojan (RAT).
If a victim activates macros, the custom .NET Trojan starts and performs a variety of functions, including connecting to a command-and-control (C2) server for removal data and remote malware updates, file theft, download screenshot and breach of microphones and webcam for audio and video surveillance.
Kaspersky says the Trojan is also capable of stealing archives from removable media, to capture keys and steal credentials stored in browsers.
The Trojan is available in two versions released in 2017, 2018 and the end of 2019, indicating that the malware is still in progress.
The Transparent Tribe team also uses another .NET malware and a Trojan called Peppy, but a new USB attack tool is of particular interest.
USBWorm consists of two basics components, a file thief for removable drives and a worm for switching to new, vulnerable machines.
If a USB drive is connected to an infected computer, a copy of the Trojan is silently installed on the removable drive. The malware will display all directories in one drive and then a copy of the Trojan will be saved in the root drive directory. The directory attribute is then changed to "hidden" and a fake Windows icon is used to entice victims to click and execute payload when trying to access directories.
"This results in hiding and replacing all real directories with a copy of the malware using the same directory name," the researchers note.
More than 200 samples of Transparent Tribe Crimson components were identified between June 2019 and June 2020.
"Over the past 12 months, we have seen a widespread campaign against military and diplomatic targets," said Kaspersky researcher Giampaolo Dedola. "We do not expect this group to slow down in the near future."