Crimson RAT

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Type
Trojan
Origin
Pakistan
First seen
1 January, 2016
Last seen
7 April, 2021
Also known as
SEEDOOR
Scarimson
Global rank
43
Week rank
24
Month rank
37
IOCs
219

What is Crimson RAT?

Crimson is a Remote Access Trojan — it is a malware that cybercriminals or threat groups can utilize to gather information from infected systems. The malware is also known under the names SEEDOOR and Scarimson. It can be used to spy on victims, capture screenshots, steal credentials and more.

Crimson is known to be used particularly by an APT (Advanced Persistent Threat), a cyber gang founded by a state. Therefore, the Crimson RAT is targeted at a very specific group of victims, among whom are Indian Government organizations and military.

General description of Crimson RAT

Crimson RAT is among malware that utilizes information related to the coronavirus to infect the machines of their victims. The strategy of using a natural disaster to exploit the need for information and the stress of potential victims is not new among cybercriminals. In fact, fake information about SARS and other epidemics is still used for phishing by some cyber-attack schemes.

As such, the Crimson malware authors use a fake health advisory email to trick victims into downloading a malicious document.

After the RAT is downloaded and installed it can perform several malicious functions, most of which are targeted at information gathering. The RAT can record and share running processes on an infected machine with the attackers, take screenshots, and steal information from web-browsers. Also, the malware has the capability to download files into infected systems from a control server.

As we mentioned above, the Crimson RAT is operated by an APT. In particular, APT36, which is thought to be sponsored by Pakistani officials to conduct military espionage. Thus, the victims of the RAT are almost exclusively among Indian officials and military personal. It is believed that retrieved sensitive information that the APT collects is used by Pakistan in military efforts against India.

In fact, APT36 is also commonly known under the name Mythic Leopard, has a history of successful attacks on Indian embassies and military infrastructure that resulted in the stealing of tactical and training information. However, other malware samples have been used in previous attacks.

Crimson RAT malware analysis

A video recorded in the ANY.RUN interactive malware analysis service shows the execution process of Crimson RAT.

crimson_process_graph

Figure 1: Shows the execution process of the Crimson RAT. This Graph was generated by ANY.RUN.

crimson_text_report

Figure 2: Displays a text report that users can create in ANY.RUN. Text reports can be used to demonstrate found information and can be customized to show only necessary data.

Crimson RAT execution process

Crimson RAT execution process is pretty straightforward but it can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document and once the user opens it, the file drops the trojan. In other case, a maldoc can contain macro which leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about victim's system and the list of running processes on that system.

Crimson RAT malware distribution

Crimson RAT spreads using highly targeted email spam campaigns. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.

How to detect Crimson RAT

Analysts can detect the Crimson RAT based on file operations. To do so, click on the process in the "Process list" section and in the appeared "Process details" window click the "More info" button. In the "Event" section switch from "Friendly" to "Raw". After that, enter "Edlacar", "Dhrolas", "Ardscar" or "Dtromera" in the "Filename" field. If operations with a folder with such names are found, be sure — that’s the Crimson RAT in front of you.

Conclusion

Crimson is a prime example of a threat actor using a pandemic or other natural disaster to gain leverage over its victims and trick them into installing malware. So far this particular malware has been used almost exclusively in military espionage, but it may very well become more widespread in the future.

Since this is a lesser-known malware, not a lot of samples are available to analyze. Thankfully, ANY.RUN malware hunting service presents an opportunity to study this RAT in an interactive simulation, allowing for quick and simple dynamic analysis in a secure online environment.

IOCs

IP addresses
185.136.169.155
151.106.14.125
23.254.119.118
172.245.87.12
64.188.25.143
91.193.75.29
109.169.89.116
185.136.161.124
198.46.168.28
198.46.177.73
216.176.190.98
173.212.192.229
167.114.138.12
5.189.134.216
185.136.168.172
64.188.12.126
198.12.90.116
173.212.246.247
104.227.244.138
185.174.102.105
Hashes
5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c
d228c1186003ae37e6c9e26222782291fa97580a254e77f290b46c2376b712e4
bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8
8f01ae46434e75207d29bc6de069b67c350120a9880cc8e30fefc19471eaac4a
4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73
be7c3bf33d9e06fdf23da68ab87a8c4cdddba7d2fbcaf4b1a68c443ab0a45288
5f983eff658ea5b720c4de5ae6aa7347cd6e5b571cf2ee940acbdb582a32e954
a6fa5fe563edb8802468828a0d32deb35ae4b3a54abe35a0a1e1ef5dc8d32ac9
36b57a7ff126d0f2c11e7d53d405e578dd2cda64538120dca80482c5779accdf
2ac34da22b6ea2d1f2c3e41c9ce01d69b16abbad9d562a238d95086c245d1762
fc2bd213decf8f69c3b18c7ec793666b93bbd896574846c7895cfce31a337621
bac64033bd2acfd0a87444325b1a09ddd03a871135bcd9be108adc38ef35201b
b31d0161e87bf4f0f4d9251995a064df5bcdec48c3396ba856796560ade9af87
7470ca13d096621463f45357b9aa09985dab6b317b1d7c0587e14ff506be8b00
771f06f83944bc4f6c58e8766dda5717325edc73b425860167c64c4e9e35e74d
2de20700d943981ad1bdb2f6b4d03b7c65633c1a7e1bc504ba20ec5f417eb69b
1815124fad04712d50a3b73f237acbda089795d102b7d842c78574190c4f0717
47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
09aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d
7afde436f24f7faceb786554857c0fef6ceefebd1be0fcd4e68542e5a2ff0c8e
Domains
majul.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
tgservermax.duckdns.org
bjorn111.duckdns.org
gbam1234.duckdns.org
info1.duckdns.org
isns.net
elumadns.eluma101.com
qxq.ddns.net
tasnimnewstehran.club
lawdvmercy.site
graceandfavorandlove.duckdns.org
naabz00.ddns.net
eastsidepapi.myq-see.com
gracelogs.ddns.net
westvalleyhospicecare.theworkpc.com
ddns.nanthings.xyz
arana-news.duckdns.org
boss5.hopto.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files and demands a payment to restore access to lost information.
Read More