Crimson RAT

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Type
Trojan
Origin
Pakistan
First seen
1 January, 2016
Last seen
6 August, 2020
Also known as
SEEDOOR
Scarimson
Global rank
40
Week rank
25
Month rank
32
IOCs
170

What is Crimson RAT?

Crimson is a Remote Access Trojan — it is a malware that cybercriminals or threat groups can utilize to gather information from infected systems. The malware is also known under the names SEEDOOR and Scarimson. It can be used to spy on victims, capture screenshots, steal credentials and more.

Crimson is known to be used particularly by an APT (Advanced Persistent Threat), a cyber gang founded by a state. Therefore, the Crimson RAT is targeted at a very specific group of victims, among whom are Indian Government organizations and military.

General description of Crimson RAT

Crimson RAT is among malware that utilizes information related to the coronavirus to infect the machines of their victims. The strategy of using a natural disaster to exploit the need for information and the stress of potential victims is not new among cybercriminals. In fact, fake information about SARS and other epidemics is still used for phishing by some cyber-attack schemes.

As such, the Crimson malware authors use a fake health advisory email to trick victims into downloading a malicious document.

After the RAT is downloaded and installed it can perform several malicious functions, most of which are targeted at information gathering. The RAT can record and share running processes on an infected machine with the attackers, take screenshots, and steal information from web-browsers. Also, the malware has the capability to download files into infected systems from a control server.

As we mentioned above, the Crimson RAT is operated by an APT. In particular, APT36, which is thought to be sponsored by Pakistani officials to conduct military espionage. Thus, the victims of the RAT are almost exclusively among Indian officials and military personal. It is believed that retrieved sensitive information that the APT collects is used by Pakistan in military efforts against India.

In fact, APT36 is also commonly known under the name Mythic Leopard, has a history of successful attacks on Indian embassies and military infrastructure that resulted in the stealing of tactical and training information. However, other malware samples have been used in previous attacks.

Crimson RAT malware analysis

A video recorded in the ANY.RUN interactive malware analysis service shows the execution process of Crimson RAT.

crimson_process_graph

Figure 1: Shows the execution process of the Crimson RAT. This Graph was generated by ANY.RUN.

crimson_text_report

Figure 2: Displays a text report that users can create in ANY.RUN. Text reports can be used to demonstrate found information and can be customized to show only necessary data.

Crimson RAT execution process

Crimson RAT execution process is pretty straightforward but it can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document and once the user opens it, the file drops the trojan. In other case, a maldoc can contain macro which leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about victim's system and the list of running processes on that system.

Crimson RAT malware distribution

Crimson RAT spreads using highly targeted email spam campaigns. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.

How to detect Crimson RAT

Analysts can detect the Crimson RAT based on file operations. To do so, click on the process in the "Process list" section and in the appeared "Process details" window click the "More info" button. In the "Event" section switch from "Friendly" to "Raw". After that, enter "Edlacar", "Dhrolas", "Ardscar" or "Dtromera" in the "Filename" field. If operations with a folder with such names are found, be sure — that’s the Crimson RAT in front of you.

Conclusion

Crimson is a prime example of a threat actor using a pandemic or other natural disaster to gain leverage over its victims and trick them into installing malware. So far this particular malware has been used almost exclusively in military espionage, but it may very well become more widespread in the future.

Since this is a lesser-known malware, not a lot of samples are available to analyze. Thankfully, ANY.RUN malware hunting service presents an opportunity to study this RAT in an interactive simulation, allowing for quick and simple dynamic analysis in a secure online environment.

IOCs

IP addresses
185.136.161.124
193.142.59.56
51.89.208.53
91.193.75.29
107.175.64.251
185.140.53.91
109.169.89.116
87.247.155.111
173.212.226.184
64.188.25.205
151.106.19.218
185.244.30.36
107.175.64.209
194.5.99.151
107.175.1.103
107.175.95.107
91.193.75.225
181.215.47.169
151.106.14.125
167.114.138.12
Hashes
137c059adda4df22eb29785fada54ebc00a22d150bfdc423f87ff1f6093bd827
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
326f6df63f4eab34d3491022771de3b8b50d3a43ca66eeeb54aa5f465f15d68a
bdb012d10d9a6ac28478b5dde52b835c72646fbf8fd9bf67109ac493eaa5ce6b
689c049facd73d1f133f3a2aa7941f5d19ffacabf119d449643f12246a5e4d2a
8b1fe0fe0a20f8ce383a2713e170f91791ee6f62915dff86fb9e070965a7be23
9f6ee25ada84e57739fe3e29306bbc45b9df667bd1628e3dd1a0c2891c3deb92
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
08d80972c62a32d6c40f02091071ab1fe1983c444527fe8c5b9915eee1f9753c
72146e890efa1de6ee90e445ceb11ad9dc3b053fa5e82757756a393ee4617a77
8ad2241815c24934b523082e603316065818decfe0d4897d4a6dee84626c5dfa
55a08e78689b58ba3b4bf7ea6d3a2420b15ccd7b4fccc97892b5724c538fb6c8
15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
def8ada059c5d8017bf912990f1f9dc961c7e143822b69007411a97086f0967d
ae9684b8c2dbcfa487d0b2d614b2214bfe3c80407244f5d39828aa91225c57bf
0eb0cf30ab9ed85f29e874db91b3ba3baa4156bf8f0a6356052cf4a80ab1e7d3
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
3406b7fee0e95bbd0ab61954337edc6da91951cf9b04f18432ac85a78ddc3fcd
56331a4bc845b9ce0f2ad37f9c28d7c629e629d51349db0e5c5859b189c04ba1
143d1dd302d05455f6e250e7b745ea2481ac5b780dfb6d8dff15d6cc72f2a144
Domains
isns.net
majul.com
tgservermax.duckdns.org
bjorn111.duckdns.org
gbam1234.duckdns.org
info1.duckdns.org
lawdvmercy.site
qxq.ddns.net
elumadns.eluma101.com
graceandfavorandlove.duckdns.org
naabz00.ddns.net
eastsidepapi.myq-see.com
gracelogs.ddns.net
westvalleyhospicecare.theworkpc.com
ddns.nanthings.xyz
arana-news.duckdns.org
boss5.hopto.org
gbam1234.duckdns.org
gbam1234.duckdns.org
gbam1234.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files and demands a payment to restore access to lost information.
Read More