ProjectM

ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of cyber attack methods. These include spear-phishing emails and watering hole attacks, where they set up malicious websites or compromise legitimate ones to deliver payloads to their targets. ProjectM notably used a blog titled “India News Tribe” as a watering hole to deliver these payloads. During the investigation into ProjectM's activities, several command and control domains used by the group were analyzed, including those for the Andromeda, Crimson, and Peppy Trojans. This analysis led to the discovery of connections between ProjectM’s infrastructure and an individual residing in Pakistan. The email address linked to this individual was found in the advertisement for Xtex Studios and was further associated with a Google+ profile containing posts related to domains hosting payloads or acting as C2 servers for ProjectM. This suggests that the individual possesses skills that could be valuable to offensive campaigns like those conducted by ProjectM. Trend Micro reported finding gigabytes of personal identifiable information (PII), primarily belonging to Indian Army personnel, on open directories on C2 servers related to ProjectM. This indicates that the threat actor not only carries out targeted attacks but also collects and possibly exploits sensitive data. In addition, the group has been observed using malicious Excel documents with macros to download and install payloads in its attack campaign. Unit 42 saw this domain hosting several ProjectM tools, including identical Andromeda and Peppy samples previously observed using a different C2, suggesting that the actor reuses domains and servers to host content and payloads unrelated to their original purpose.