APT36 Drops Crimson RAT in the Name of COVID-19 Advisory

  • The threat actor group mainly relies on spear-phishing and watering hole attacks to gain a foothold on its victims. 
  • Researchers confirmed that this is a new phishing pattern emerging from this group.

Since the coronavirus became a worldwide health issue, it has become a golden opportunity for cyber crooks to capitalize on the fear and generate mass hysteria—all while targeting potential victims with malware campaigns and scams.

A group of researchers recently reported that the Pakistan-linked APT36 was using a decoy health advisory document from the Indian government to spread a Remote Administration Tool (RAT).

A background on APT36
Believed to a Pakistani state-sponsored threat actor, the group is active since 2016 and supports Pakistani military and diplomatic interests.

  • It importantly targets the defense agencies, embassies, and the government of India.
  • Its intent is to perform cyber-espionage operations include collecting sensitive information from India.
  • The threat actor mainly relies on both spear-phishing and watering hole attacks to gain foothold on its victims.
  • The group is known by several different names such as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

Though it has used many different malware families in the past, it has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT. Phishing emails by the group usually feature a malicious macro-laced Office document or an RTF file with embedded exploits.

What happened?
APT36 has launched an email-based spear-phishing campaign spreading a fake coronavirus health advisory.

  • The spear-phishing campaign was observed delivering the Crimson RAT via links to a malicious document purportedly produced by the Indian government.
  • In the fresh coronavirus-themed attack, APT36 attached a malicious document in the email masquerading as the Government of India (GoI) (email.gov.in.maildrive[.]email/?att=1579160420).

What’s new in this campaign?
Researchers confirmed that this is a new phishing pattern emerging from this group. The names used for directories and functions are likely in Urdu.

  • The malicious document contains two hidden macros that drop the Crimson RAT.
  • The malicious macro first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS type.
  • By identifying the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format and drop it into the “Uahaiws” directory. 
  • The content is unzipped using the “UnAldizip” function, dropping the RAT payload into the Edlacar directory.
  • Finally, a call is made to the Shell function to execute the payload.

The RAT collects and sends information about the compromised system, including a list of running processes and their IDs, the machine hostname, and its username.

Capabilities of Crimson RAT
The Crimson RAT has been written in .Net and its capabilities include:

  • Stealing credentials from the victim’s browser
  • Retrieving files from its C&C server
  • Using custom TCP protocol for its C&C communications
  • Collecting information about antivirus software
  • Capturing screenshots
  • Listing running processes, drives, and directories on the victim’s machine

How to protect against yourself?
General users need not worry about nation-state attacks since it is a targeted attack. However, experts recommend potential targets to take several security measures such as:

  • Keeping all the installed software up-to-date (including Microsoft Excel and Word) to protect against malicious exploits.
  • Organizations should consider using an endpoint protection system to block malicious activity on its devices.
  • Avoid opening coronavirus related resources from unvetted sources.