Phishing email attachments deliver Crimson RAT

With a malicious intent to attack financial institutions, attackers deliver Crimson RAT via email attachments and links shared through phishing emails. 

Share this Intel:

The Carrier

  • Two separate spear-phishing email campaigns deliver Crimson RAT through an attachment and a link.
  • The link sent through mail contains a malicious PE (executable) file. It has two ZIP files and a DOC file embedded in the resource section.
  • The attachment sent along with the email has an embedded malicious macro.

The Malware

  • On execution, based on the OS version, the malicious attachments drop a 32-bit or 64-bit version of payload stored in the resources.
  • The ZIP payload is dropped and executed to deliver the RAT.
  • Once the RAT is executed, it loads a clean CV DOC file and then executes it.

The Risk

  • Crimson RAT exfiltrates files and system data, transfers it over non-web channels to its command-and-control (C&C) server.
  • The malware, on its own, is also capable of capturing the screen of the target device and terminate any or all running processes.
  • It downloads more payloads from its C&C server to steal browser credentials and record keyboard strokes.

Indicators of Compromise

URLs:
  • cloudsbox[.]net/files/sonam karwati.exe
  • cloudsbox[.]net/sonam11
  • cloudsbox[.]net/files/preet.doc
  • 181.215.47[.]169:3368
  • 181.215.47[.]169:6728
  • 181.215.47[.]169:15418
  • 181.215.47[.]169:8822
  • 181.215.47[.]169:13618
FIle HASHES:
  • 1BBAB11B9548C5E724217E506EAB2056 (sonam karwati.exe)
  • 66DA058E5FE7C814620E8AF54D6ADB96 (brwmarivas7.zip)
  • D62156FA2C5BFFDC63F0975C5482EAB6 (brwmarivas7.exe)
  • 63BA59C20E141E635587F550B46C02CD (brwmarivas8.zip)
  • 88309987F49955F88CCF4F92CFBA6CD7 (brwmarivas8.exe)
  • 5BF97A6CB64AE6FD48D6C5D849BE8983 (rihndimrva.doc)
  • CBFAE579A25DF1E2FE0E02934EFD65DC (sonam.doc)
  • 3952EBEDF24716728B7355B8BE8E71B6 (preet.doc)

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.

Subscribe now