Schedule a demo

Phishing email attachments deliver Crimson RAT

Summary

With a malicious intent to attack financial institutions, attackers deliver Crimson RAT via email attachments and links shared through phishing emails. 

The Carrier

  • Two separate spear-phishing email campaigns deliver Crimson RAT through an attachment and a link.
  • The link sent through mail contains a malicious PE (executable) file. It has two ZIP files and a DOC file embedded in the resource section.
  • The attachment sent along with the email has an embedded malicious macro

The Malware

  • On execution, based on the OS version, the malicious attachments drop a 32-bit or 64-bit version of payload stored in the resources.
  • The ZIP payload is dropped and executed to deliver the RAT.
  • Once the RAT is executed, it loads a clean CV DOC file and then executes it.

The Risk

  • Crimson RAT exfiltrates files and system data, transfers it over non-web channels to its command-and-control (C&C) server.
  • The malware, on its own, is also capable of capturing the screen of the target device and terminate any or all running processes.
  • It downloads more payloads from its C&C server to steal browser credentials and record keyboard strokes.

Indicators of Compromise

URLs:
  • cloudsbox[.]net/files/sonam karwati.exe
  • cloudsbox[.]net/sonam11
  • cloudsbox[.]net/files/preet.doc
  • 181.215.47[.]169:3368
  • 181.215.47[.]169:6728
  • 181.215.47[.]169:15418
  • 181.215.47[.]169:8822
  • 181.215.47[.]169:13618
FIle HASHES:
  • 1BBAB11B9548C5E724217E506EAB2056 (sonam karwati.exe)
  • 66DA058E5FE7C814620E8AF54D6ADB96 (brwmarivas7.zip)
  • D62156FA2C5BFFDC63F0975C5482EAB6 (brwmarivas7.exe)
  • 63BA59C20E141E635587F550B46C02CD (brwmarivas8.zip)
  • 88309987F49955F88CCF4F92CFBA6CD7 (brwmarivas8.exe)
  • 5BF97A6CB64AE6FD48D6C5D849BE8983 (rihndimrva.doc)
  • CBFAE579A25DF1E2FE0E02934EFD65DC (sonam.doc)
  • 3952EBEDF24716728B7355B8BE8E71B6 (preet.doc)

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now