APT36 Taking Advantage of COVID-19 Fear to Spread Crimson RAT

APT36’s previous campaigns were found to be using both spear-phishing and watering hole attacks. Usually, in those attacks, emails had either a malicious macro document or an RTF file utilizing vulnerabilities, like “CVE-2017-0199.” In the recent campaign started in mid-March 2020, they were using the same vector, where a spear-phishing email arrives with a link to a malicious document pretending to be health advisories for the coronavirus, coming from the Government of India. The malicious document attached to the email contains Urdu names, suggesting a new phishing pattern used by the group. The malicious document comes with two hidden macros that deliver Crimson RAT to the target users. When the malicious macro is enabled, it creates two directories named “Edlacar” and “Uahaiws.” After that, it checks the OS type to determine which version of RAT is to be delivered - the 32 bit or the 64 bit. The payload is dropped in zip file format that is saved in one of the two text boxes in UserForm1 (in the malicious document). The zip payload is dropped into the Uahaiws directory, and then the “UnAldizip” function unzips its content to drop the RAT payload into the Edlacar directory. Finally, it will call the Shell function to run the payload. 

Crimson RAT is written in .NET, and its capabilities include stealing credentials from the victim’s web-browser, listing running processes, drives, and directories, retrieving files from its C&C server, using custom TCP protocol for its C&C communication, gathering information about antivirus software and finally capturing screenshots. Upon executing the payload, the RAT communicates to its embedded C&C IP addresses and sends the collected information about the victim back to the server. The collected information included a list of running processes and their IDs, machine hostname, along with its username.