The Carrier
- Two separate spear-phishing email campaigns deliver Crimson RAT through an attachment and a link.
- The link sent through mail contains a malicious PE (executable) file. It has two ZIP files and a DOC file embedded in the resource section.
- The attachment sent along with the email has an embedded malicious macro
The Malware
- On execution, based on the OS version, the malicious attachments drop a 32-bit or 64-bit version of payload stored in the resources.
- The ZIP payload is dropped and executed to deliver the RAT.
- Once the RAT is executed, it loads a clean CV DOC file and then executes it.
The Risk
- Crimson RAT exfiltrates files and system data, transfers it over non-web channels to its command-and-control (C&C) server.
- The malware, on its own, is also capable of capturing the screen of the target device and terminate any or all running processes.
- It downloads more payloads from its C&C server to steal browser credentials and record keyboard strokes.
Indicators of Compromise
URLs:
- cloudsbox[.]net/files/sonam karwati.exe
- cloudsbox[.]net/sonam11
- cloudsbox[.]net/files/preet.doc
- 181.215.47[.]169:3368
- 181.215.47[.]169:6728
- 181.215.47[.]169:15418
- 181.215.47[.]169:8822
- 181.215.47[.]169:13618
FIle HASHES:
- 1BBAB11B9548C5E724217E506EAB2056 (sonam karwati.exe)
- 66DA058E5FE7C814620E8AF54D6ADB96 (brwmarivas7.zip)
- D62156FA2C5BFFDC63F0975C5482EAB6 (brwmarivas7.exe)
- 63BA59C20E141E635587F550B46C02CD (brwmarivas8.zip)
- 88309987F49955F88CCF4F92CFBA6CD7 (brwmarivas8.exe)
- 5BF97A6CB64AE6FD48D6C5D849BE8983 (rihndimrva.doc)
- CBFAE579A25DF1E2FE0E02934EFD65DC (sonam.doc)
- 3952EBEDF24716728B7355B8BE8E71B6 (preet.doc)