# APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT **[blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat](https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/)** Threat Intelligence Team, Threat Intelligence Team March 16, 2020 Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns. [Profiting from global health concerns, natural disasters, and other extreme weather events is](https://blog.malwarebytes.com/social-engineering/2019/10/help-prevent-disaster-donation-scams-from-causing-more-misery/) [nothing new for cybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have](https://www.nclnet.org/beware_of_h1n1_scams) [circulated online for more than a decade. According to reports from ZDnet, many state-sponsored](https://www.zdnet.com/article/state-sponsored-hackers-are-now-using-coronavirus-lures-to-infect-their-targets/) threat actors have already started to distribute coronavirus lures, including: Chinese APTs: Vicious Panda, Mustang Panda North Korean APTs: Kimsuky [Russian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)](https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/) Other APTs: Sweed (Lokibot) [Recently, the Red Drip team reported that APT36 was using a decoy health advisory document to](https://twitter.com/RedDrip7/status/1237983760802394112?s=20) spread a Remote Administration Tool (RAT). APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic [interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic](https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf) Leopard, and TEMP.Lapis. ## APT36 spreads fake coronavirus health advisory ----- [APT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on](https://blog.malwarebytes.com/social-engineering/2020/01/spear-phishing-101-what-you-need-to-know/) victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199. In the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure 1) masquerading as the government of India (email.gov.in.maildrive[.]email/? _att=1579160420)._ Figure 1: Phishing document containing malicious macro code We looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern from this group. The names used for directories and functions are likely Urdu names. The malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious macro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS type. ----- Figure 2: malicious macro Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1 (Figure 3). ----- Figure 3: embedded payloads in ZIP format Then it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function, dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload. ## Crimson RAT The Crimson RAT has been written in .Net (Figure 4) and its capabilities include: Stealing credentials from the victim’s browser Listing running processes, drives, and directories on the victim’s machine Retrieving files from its C&C server Using custom TCP protocol for its C&C communications Collecting information about antivirus software Capturing screenshots ----- Figure 4: Crimson RAT Upon running the payload, Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username (Figure 5). Figure 5: TCP communications ## Ongoing use of RATs APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT. In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters. They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details. ## Protection against RATs While most general users needn’t worry about nation-state attacks, organizations wanting to [protect against this threat should consider using an endpoint protection system or endpoint](https://www.malwarebytes.com/business/endpointprotection/) detection and response with exploit blocking and real-time malware detection. ----- Shoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields against exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from unvetted sources can protect against this and other social engineering attacks from threat actors. Malwarebytes users are protected against this attack. We block the malicious macro execution as well as its payload with our application behavior protection layer and real-time malware detection. ## Indicators of Compromise Decoy URLs ``` email.gov.in.maildrive[.]email/?att=1579160420 email.gov.in.maildrive[.]email/?att=1581914657 ``` Decoy documents ``` 876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656 20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a ``` Crimson RAT ``` 0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748 ``` C2s ``` 107.175.64[.]209 64.188.25[.]205 ## MITRE ATT&CK ``` [https://attack.mitre.org/software/S0115/](https://attack.mitre.org/software/S0115/) -----