Threat Watch

Old Tactics Gain New Life in Crimson RAT

In a recent report, researchers at Kaspersky Labs wrote about the use of a USB spreader by Crimson RAT as a mechanism to maintain persistence within an environment. The spreader works in three separate modes: A downloader, infector, and stealer.

When a host is already infected with Crimson RAT and the conditions are met to download another client, a USB device is selected and will hide the contents of the drive in hidden folders and leave an executable disguised as a folder on the drive. If a user attempts to open the folder while the USB device is plugged in to a different machine, it executes the RAT and the process begins again calling back to the C2 and repeats the infection process. Lastly, if there are any files of interest on the drive, those files can be sent back out to the C2 for delivery.

ANALYST NOTES

Crimson RAT, like many others in this class, utilizes tactics that are common across the board – malicious documents with macros, execution out of suspicious directories (in this case C:\ProgramData), and registry modifications (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Continuous monitoring and logging of unusual processes writing to external devices can help make detection easier. In this case, it is recommended to investigate unusual .zip file being written to C:\ProgramData\ with a randomly named parent directory.
To read more, please see: https://securelist.com/transparent-tribe-part-1/98127/