APT36, a Pakistan-based threat group, is using the novel Coronavirus pandemic scare to its advantage by spreading a data exfiltrating malware – Crimson RAT. As per a report from Malwarebytes, APT36 is mainly found to be using spear-phishing and watering hole attacks to target potential victims.
APT36 Threat Group
APT36 threat group has been long known to carry out cyber espionage campaigns against India to collect its critical and sensitive military information. They are allegedly backed by certain criminal organizations in the region to support the Pakistani military and diplomatic interests. In the past, the group has also deployed different types of RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT.
Coronavirus has caused panic in India, as the country readies itself for Stage 3 of the pandemic. Amid the chaos, the operators of this campaign are using a decoy health advisory– namely from the Government of India–to disguise a malicious macros attachment. The malicious file is targeting an old vulnerability in RTF (Rich Text File) format as recorded under CVE-2017-0199.
The Smart Crimson RAT
Once the malicious file is opened, two directories named as “Edlacar” and “Uahaiws” are created. In order to load the payload, the malware dropper first checks the OS type (32-bit or 64-bit). It then drops the payload into the Uahaiws directory and unzips its content to drop the Crimson RAT payload in the Edlacar directory. In the end, it executes the shell script to load the payload.
Crimson RAT then begins data exfiltration from the victims’ computer which includes stealing credentials from the browser, list running processes, collect anti-virus software information, number of drives in the system, and capture screenshots in certain cases.