APT36 spreads fake coronavirus health advisory
APT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199.
In the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure 1) masquerading as the government of India ( email.gov.in.maildrive[.]email/?att=1579160420 ).
Figure 1: Phishing document containing malicious macro code
Figure 2: malicious macro
Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1 (Figure 3).
Figure 3: embedded payloads in ZIP format
The Crimson RAT has been written in .Net (Figure 4) and its capabilities include:
- Stealing credentials from the victim’s browser
- Listing running processes, drives, and directories on the victim’s machine
- Retrieving files from its C&C server
- Using custom TCP protocol for its C&C communications
- Collecting information about antivirus software
- Capturing screenshots
Figure 4: Crimson RAT
Upon running the payload, Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username (Figure 5).
Figure 5: TCP communications
Indicators of Compromise