Nation-Backed Hackers spread Crimson RAT via Coronavirus Phishing

Nation-Backed Hackers spread Crimson RAT via Coronavirus Phishing (Mar 17, 2020)

The state-sponsored threat group APT36 has been seen using Coronavirus (COVID-19) based lures in their recent spearphishing campaigns to deploy the Crimson Remote Access Trojan (RAT). The emails will masquerade as health advisory boards and government officials with updates on the coronavirus. The documents used in the campaign have two main formats, one containing an excel document with embedded macros to download the Crimson RAT, and an RTF file exploiting the zero day “CVE-2017-0199” for remote code execution. The RAT’s abilities include but are not limited to; stealing user credentials from web browsers, screen capture,and file/directory discovery . Collected information will be exfiltrated to a hard coded Command and Control (C2) server. APT36, which is also known by the names: Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis, is suspected to be based in Pakistan and has a history of targeting Indian entities.

Recommendation: With the world’s attention focused on the Coronavirus, malicious groups and individuals are leveraging this in their operations. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spearphishing attack. In the case of this lure, it is advised that individuals contact their nearest health advisory to ensure that these emails are legitimate.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.