APT36/Pakistan: Pakistani-linked APT36 is using spear phishing to take advantage of the current coronavirus news to spread malware dubbed Crimson RAT. Crimson RAT can steal credentials from browsers, capture screenshots, collect anti-virus software information, and list the running processes, drives, and directories from victim machines. This most recent attack is utilizing a malicious Excel file with a macro that creates two directories with the names “Edlacar” and “Uahaiws” under “all users” or “public” profile directory. The file is delivered through a spear-phishing email labeled as a health advisory about the coronavirus from the Indian government. The macro detects the OS version of the machine and the correct version of the Crimson RAT malware is extracted from one of two text boxes in the Excel file, based on the operating system. Once the payload is extracted, it will execute using the “Shell” function and connect to a hard-coded Command and Control (C2) server at IP address 107.175.64[.]209 or 64.188.25[.]205 to send victim information.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for