As the world struggles with the panic over the COVID-19 pandemic, multiple threat actors are trying to take advantage of coronavirus hysteria to perform cyber attacks. The latest developments involve a spear phishing campaign orchestrated by Pakistan-linked APT 36 designed to infect victims with Crimson RAT.
The group (also known under aliases Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis) has been active since at least 2016 and is primarily focused on Indian defense and government entities. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests.
The ongoing phishing campaign was first spotted by researchers with QiAnXin's RedDrip Team who discovered malicious documents posing as a coronavirus health advisory for businesses and training institutions. The spear-phishing emails were also analyzed by Malwarebytes Labs' Threat Intelligence Team.
According to researchers, to gain its foothold on victims previous APT36 campaigns have mainly relied on both spear phishing and watering hole attacks with phishing emails containing either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199.
In this recent campaign the group used a spear phishing email with a link to a malicious document masquerading as the government of India.
The malicious document contained two hidden macros that drop Crimson RAT onto computer. The malicious macro first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS type. Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1. It then drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function, dropping the RAT payload into the Edlacar directory. Then the Shell function is called to execute the payload.
Written in .Net, the Crimson RAT has an extensive set of functions, including the ability to steal credentials from the victim’s browser; list running processes drives, and directories; retrieve files from its command and control server; collect data about antivirus software and capture screenshots.
The collected info about the victim is sent to he RAT's command and control server.
“APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT,” the researchers said.
