APT36 Taking Advantage of COVID-19 Fear to Spread Crimson RAT

Share Blog post

APT36, a threat group from Pakistan, has joined the growing list of groups taking advantage of COVID-19 (also known as coronavirus) fear. The threat group has been trying to spread Crimson RAT, which aims to steal sensitive information. The threat group APT36 has been active since 2016 and is known to target its arch-rival India. The group performs cyber-espionage operations with a motive to gather confidential information from India to help the Pakistani military and its strategic interests.

Infection Vector of APT36’s Phishing Campaign Spreading Crimson RAT


APT36’s previous campaigns were found to be using both spear-phishing and watering hole attacks. Usually, in those attacks, emails had either a malicious macro document or an RTF file utilizing vulnerabilities, like “CVE-2017-0199.” In the recent campaign started in mid-March 2020, they were using the same vector, where a spear-phishing email arrives with a link to a malicious document pretending to be health advisories for the coronavirus, coming from the Government of India. The malicious document attached to the email contains Urdu names, suggesting a new phishing pattern used by the group. The malicious document comes with two hidden macros that deliver Crimson RAT to the target users. When the malicious macro is enabled, it creates two directories named “Edlacar” and “Uahaiws.” After that, it checks the OS type to determine which version of RAT is to be delivered - the 32 bit or the 64 bit. The payload is dropped in zip file format that is saved in one of the two text boxes in UserForm1 (in the malicious document). The zip payload is dropped into the Uahaiws directory, and then the “UnAldizip” function unzips its content to drop the RAT payload into the Edlacar directory. Finally, it will call the Shell function to run the payload. 

Crimson RAT is written in .NET, and its capabilities include stealing credentials from the victim’s web-browser, listing running processes, drives, and directories, retrieving files from its C&C server, using custom TCP protocol for its C&C communication, gathering information about antivirus software and finally capturing screenshots. Upon executing the payload, the RAT communicates to its embedded C&C IP addresses and sends the collected information about the victim back to the server. The collected information included a list of running processes and their IDs, machine hostname, along with its username.

What can be done?


As APT36 is using the COVID-19 epidemic as fear, users should be on alert when receiving such emails claiming to contain info regarding the coronavirus pandemic. Such emails should not be opened without properly vetting them. Always update and patch software and operating system to stay protected and stop the exploitation of any known system vulnerabilities. Organizations should deploy an endpoint protection system with detection and response, as well as they should consider implementing a threat intelligence platform that could integrate with endpoint protection and other security systems to leverage known IOCs and TTPs for alerting and blocking.

Conclusion


APTs are now leveraging the COVID-19 as a lure to target users and deliver advanced malware like Crimson RAT. APT36 quickly adapted their attack pattern with COVID-19, as they seek more success in targeting users. Organizations need to stay on alert and follow security best practices. People should stay at home and follow the World Health Organization (WHO) guidelines to stay safe against coronavirus along with following the best cyber practices while surfing online to prevent such Advanced Persistent Threats.

Indicators of Compromise


Decoy URLs
email.gov.in.maildrive[.]email/?att=1579160420
email.gov.in.maildrive[.]email/?att=1581914657

Decoy documents
876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a

Crimson RAT
0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010
b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748

C2s
107[.]175[.]64[.]209
64[.]188[.]25[.]205


 Tags

apt36
covid 19
crimson rat

Posted on: April 24, 2020

Get the Research and Analysis delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!