APT36 Taps Coronavirus as ‘Golden Opportunity’ to Spread Crimson RAT

crimson RAT

The Pakistani-linked APT has been spotted infecting victims with data exfiltration malware.

A Pakistani-linked threat actor, APT36, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT.

The functionalities of the Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines. The use of such data exfiltration capabilities are common for APT36 (also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis), active since 2016.

“APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India,” said researchers with Malwarebytes in a Monday analysis. “APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests.”

Researchers said that previous APT36 campaigns have mainly relied on both spear phishing and watering hole attacks to gain its foothold on victims. This most recent phishing email attaches a malicious macro document that targets vulnerabilities in RTF (Rich Text Format) files, such as CVE-2017-0199. This is a high-severity Microsoft vulnerability, which allows a bad actor to execute Visual Basic script when a user opens a malicious Microsoft Office RTF document.

The email pretends to be from the government of India (email.gov.in.maildrive[.]email/?att=1579160420) and contains a “Health Advisory” regarding the coronavirus pandemic. Once victims click on the attached malicious document and enable macros, the Crimson RAT is dropped.

crimson RAT APT36The malicious macro first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS type. Based on the OS type, the macro then picks either a 32-bit or 64-bit version of its RAT payload in zip format, which is stored in one of the two textboxes in UserForm1. Then, it drops the zip payload into the “Uahaiws” directory and unzips its content (using the “UnAldizip” function), dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.

Once downloaded, Crimson RAT connects to its hardcoded command and control (C2) IP addresses and sends collected information about the victim back to the server. That data includes a list of running processes and their IDs, the machine hostname, and its username.

Researchers said that APT36 has used many different RAT strains in the past – including such as remote administration tool DarkComet, Luminosity RAT, and njRAT.

“In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters,” said researchers. “They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details.”

Coronavirus has been utilized by various APTs over the last week to infect victims with malware. Last week a Chinese APT group was spotted leveraging COVID-19 to infect Mongolian victims with a previously unknown malware, in a campaign researchers called “Vicious Panda.” Beyond that attackers continue to leverage coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams.

Researchers said that making employees aware of these ongoing scams is key – particularly with more businesses moving to a work from home model in response to the coronavirus pandemic.

“Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch,” said researchers. “This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns.”

Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles