APT36, a threat group from Pakistan, has joined the growing list of groups taking advantage of COVID-19 (also known as coronavirus) fear. The threat group has been trying to spread Crimson RAT, which aims to steal sensitive information. The threat group APT36 has been active since 2016 and is known to target its arch-rival India. The group performs cyber-espionage operations with a motive to gather confidential information from India to help the Pakistani military and its strategic interests.
Infection Vector of APT36’s Phishing Campaign Spreading Crimson RAT
APT36’s previous campaigns were found to be using both spear-phishing and watering hole attacks. Usually, in those attacks, emails had either a malicious macro document or an RTF file utilizing vulnerabilities, like “CVE-2017-0199.” In the recent campaign started in mid-March 2020, they were using the same vector, where a spear-phishing email arrives with a link to a malicious document pretending to be health advisories for the coronavirus, coming from the Government of India. The malicious document attached to the email contains Urdu names, suggesting a new phishing pattern used by the group. The malicious document comes with two hidden macros that deliver Crimson RAT to the target users. When the malicious macro is enabled, it creates two directories named “Edlacar” and “Uahaiws.” After that, it checks the OS type to determine which version of RAT is to be delivered - the 32 bit or the 64 bit. The payload is dropped in zip file format that is saved in one of the two text boxes in UserForm1 (in the malicious document). The zip payload is dropped into the Uahaiws directory, and then the “UnAldizip” function unzips its content to drop the RAT payload into the Edlacar directory. Finally, it will call the Shell function to run the payload.
Crimson RAT is written in .NET, and its capabilities include stealing credentials from the victim’s web-browser, listing running processes, drives, and directories, retrieving files from its C&C server, using custom TCP protocol for its C&C communication, gathering information about antivirus software and finally capturing screenshots. Upon executing the payload, the RAT communicates to its embedded C&C IP addresses and sends the collected information about the victim back to the server. The collected information included a list of running processes and their IDs, machine hostname, along with its username.
What can be done?
As APT36 is using the COVID-19 epidemic as fear, users should be on alert when receiving such emails claiming to contain info regarding the coronavirus pandemic. Such emails should not be opened without properly vetting them. Always update and patch software and operating system to stay protected and stop the exploitation of any known system vulnerabilities. Organizations should deploy an endpoint protection system with detection and response, as well as they should consider implementing a threat intelligence platform that could integrate with endpoint protection and other security systems to leverage known IOCs and TTPs for alerting and blocking.
APTs are now leveraging the COVID-19 as a lure to target users and deliver advanced malware like Crimson RAT. APT36 quickly adapted their attack pattern with COVID-19, as they seek more success in targeting users. Organizations need to stay on alert and follow security best practices. People should stay at home and follow the World Health Organization (WHO) guidelines to stay safe against coronavirus along with following the best cyber practices while surfing online to prevent such Advanced Persistent Threats.
Indicators of Compromise