APT36 Spreads Fake Coronavirus Health Advisory Delivers Crimson RAT

APT36 spreads fake coronavirus health advisory

APT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199.

In the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure 1) masquerading as the government of India ( email.gov.in.maildrive[.]email/?att=1579160420 ).

Figure 1: Phishing document containing malicious macro code

Figure 2: malicious macro

Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1 (Figure 3).

Figure 3: embedded payloads in ZIP format

Crimson RAT

The Crimson RAT has been written in .Net (Figure 4) and its capabilities include:

  • Stealing credentials from the victim’s browser
  • Listing running processes, drives, and directories on the victim’s machine
  • Retrieving files from its C&C server
  • Using custom TCP protocol for its C&C communications
  • Collecting information about antivirus software
  • Capturing screenshots

Figure 4: Crimson RAT

Upon running the payload, Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username (Figure 5).

Figure 5: TCP communications

Indicators of Compromise

Decoy URLs


Decoy documents


Crimson RAT

0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748


107.175.64[.]209 64.188.25[.]205



1 Like