APT36/Pakistan: Pakistani-linked APT36 is using spear phishing to take advantage of the current coronavirus news to spread malware dubbed Crimson RAT. Crimson RAT can steal credentials from browsers, capture screenshots, collect anti-virus software information, and list the running processes, drives, and directories from victim machines. This most recent attack is utilizing a malicious Excel file with a macro that creates two directories with the names “Edlacar” and “Uahaiws” under “all users” or “public” profile directory. The file is delivered through a spear-phishing email labeled as a health advisory about the coronavirus from the Indian government. The macro detects the OS version of the machine and the correct version of the Crimson RAT malware is extracted from one of two text boxes in the Excel file, based on the operating system. Once the payload is extracted, it will execute using the “Shell” function and connect to a hard-coded Command and Control (C2) server at IP address 107.175.64[.]209 or 64.188.25[.]205 to send victim information.
Analyst Notes
APT 36 has been known in the past to utilize various RATs and deliver them through spear-phishing and watering hole attacks. Taking advantage of the news surrounding the coronavirus has become extremely popular. Pakistan and India are always exchanging cyber-attacks, so making the document look like it is from the Indian government gives a strong indication that this attack is primarily targeting Indian civilians. As a general rule, defenders should have monitoring services in place to prevent infections like these from spreading across a network and know when a workstation or server on the network is infected. Binary Defense’s Managed Detection and Response (MDR) is a great tool to detect and help prevent attacks like these. More information can be found here:
APT36 Taps Coronavirus as ‘Golden Opportunity’ to Spread Crimson RAT
https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/
