Cyber Security

APT36 Spreads Crimson RAT Malware by Using Coronavirus Themed Phishing Attacks

Crimson RAT (Remote Access Trojan) is being spread through social engineering attacks that play on the Coronavirus outbreak. The malware – a high-severity threat that is designed to steal credentials and other sensitive information – is linked to a Pakistani state-sponsored threat group known as APT36.

APT36, also called Transparent Tribe, ProjectM, TEMP.Lapis, and Mythic Loprard, is known to steal sensitive information from the Pakistani military and other diplomatic interests. Historically, the group targeted defense structures, embassies, and government entities of India, aiming at exfiltrating army strategy and training documents, tactical documents, and official letters, as well as personally identifiable information, text messages, and contact details.

Previous APT36 campaigns have involved watering hole attacks and spear-phishing campaigns. Thir most recent scam emails use macro documents that aim to exploit vulnerabilities such as CVE-2017-0199, in RTF (Rich Text Format) files. Experts warn that if exploited successfully, this high-severity vulnerability will allow cybercriminals to execute Visual Basic scripts on the victims' devices.

Crimson RAT impersonates official India government correspondence

Crimson RAT lurks behind phishing emails that pose as official COVID-19 alerts from the Indian government.

The phishing campaign was first detected by QiAnXin's RedDrip Team, who discovered a malicious file that posed as an official Indian government health advisory. Researchers, who also analyzed the attack, report that this latest campaign uses a phishing pattern that was not previously used by APT36.

Figure 1: APT36 Phishing Excel Document

Image of excel file containing crimson rat dropper. 

A malicious excel file containing code that will drop the malware. Source: Threatpost.com

The latest phishing emails masquerade as official messages from the government of India (email.gov.in.maildrive[.]email/?att=1579160420) that contain "Health Advisory" regarding the Coronavirus outbreak. If opened, the document will run two malicious macros that create two directories named "Edlacar" and "Uahaiws." The macros will also check the OS version and download a ZIP archive that contains either a 32-bit or 64-bit version of the malware payload.

The malicious ZIP archive, which gets saved in the Uahaiws folder, will unzip the RAT into the Edlacar directory. The macros will then call a Shell function that will execute the payload.

Researchers explain that once installed, Crimson RAT will establish a connection to a hardcoded Command and Control (C&C) server. The RAT will swipe the infected device for targeted information and will upload every bit of data to the C&C server.

Crimson RAT exfiltrates information such as:

  • credentials from web browsers,
  • information about security software,
  • computer-configuration information such as hostnames, usernames, and IDs,
  • captured screenshots of the victim's screen,
  • Lists of running processes, drives, and directories on the target device.

Crimson RAT is written in .Net programming language and employs a custom TCP protocol for C&C communication. The malware is one of many RATs, deployed by APT36. njRAT, DarkComet, and Luminosity RAT are also linked to the threat group, some of them also being spread through Covid19-themed attacks.

Researchers warn that Coronavirus-themed threats are booming right now. Dangerous malware, such as CoronaVirus ransomware, lurk in the dark corners of the web, waiting for people who are panicking over the new pandemic to fall into the cybercriminals' traps.

Cybersecurity experts advise caution because scams, trojans, and RATs threaten not only individual users but also companies, governments, and even health organizations.

 

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Loading...
Back to top button