Crimson RAT

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Type
Trojan
Origin
Pakistan
First seen
1 January, 2016
Last seen
11 May, 2022
Also known as
SEEDOOR
Scarimson
Global rank
44
Week rank
36
Month rank
39
IOCs
264

What is Crimson RAT?

Crimson is a Remote Access Trojan — it is malware that cybercriminals or threat groups can utilize to gather information from infected systems. The malware is also known under the names SEEDOOR and Scarimson. It can be used to spy on victims, capture screenshots, steal credentials, and more.

Crimson is known to be used particularly by an APT (Advanced Persistent Threat), a cyber gang founded by a state. Therefore, the Crimson RAT is targeted at a very specific group of victims, among whom are Indian Government organizations and the military.

General description of Crimson RAT

Crimson RAT is among malware that utilizes information related to the coronavirus to infect the machines of their victims. The strategy of using a natural disaster to exploit the need for information and the stress of potential victims is not new among cybercriminals. In fact, fake information about SARS and other epidemics is still used for phishing by some cyber-attack schemes.

As such, the Crimson malware authors use a fake health advisory email to trick victims into downloading a malicious document.

After the RAT is downloaded and installed it can perform several malicious functions, most of which are targeted at information gathering. The RAT can record and share running processes on an infected machine with the attackers, take screenshots, and steal information from web-browsers. Also, the malware has the capability to download files into infected systems from a control server.

As we mentioned above, the Crimson RAT is operated by an APT. In particular, APT36, which is thought to be sponsored by Pakistani officials to conduct military espionage. Thus, the victims of the RAT are almost exclusively among Indian officials and military personal. It is believed that retrieved sensitive information that the APT collects is used by Pakistan in military efforts against India.

In fact, APT36 is also commonly known under the name Mythic Leopard, has a history of successful attacks on Indian embassies and military infrastructure that resulted in the stealing of tactical and training information. However, other malware samples have been used in previous attacks.

Crimson RAT malware analysis

A video recorded in the ANY.RUN interactive malware analysis service shows the execution process of Crimson RAT.

crimson_process_graph

Figure 1: Shows the execution process of the Crimson RAT. This Graph was generated by ANY.RUN.

crimson_text_report

Figure 2: Displays a text report that users can create in ANY.RUN. Text reports can be used to demonstrate found information and can be customized to show only necessary data.

Crimson RAT execution process

Crimson RAT execution process is pretty straightforward but it can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document and once the user opens it, the file drops the trojan. In other cases, a maldoc can contain a macro that leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about the victim's system and the list of running processes on that system.

Crimson RAT malware distribution

Crimson RAT spreads using highly targeted email spam campaigns using the same scenario as Quasar RAT. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.

How to detect Crimson RAT

Analysts can detect the Crimson RAT based on file operations. To do so, click on the process in the "Process list" section, and in the appeared "Process details" window click the "More info" button. In the "Event" section switch from "Friendly" to "Raw". After that, enter "Edlacar", "Dhrolas", "Ardscar" or "Dtromera" in the "Filename" field. If operations with a folder with such names are found, be sure — that’s the Crimson RAT in front of you.

Conclusion

Crimson the same as Netwalker is a prime example of a threat actor using a pandemic or other natural disaster to gain leverage over its victims and trick them into installing malware. So far this particular malware has been used almost exclusively in military espionage, but it may very well become more widespread in the future.

Since this is a lesser-known malware, not a lot of samples are available to analyze. Thankfully, ANY.RUN malware hunting service presents an opportunity to study this RAT in an interactive simulation, allowing for quick and simple dynamic analysis in a secure online environment.

IOCs

IP addresses
45.138.172.222
167.114.138.12
161.97.176.42
194.163.139.252
185.136.161.124
75.119.133.15
91.193.75.225
107.150.18.166
96.47.234.102
191.101.172.44
185.161.208.44
167.160.166.80
167.86.105.43
198.23.210.211
66.154.113.38
107.175.1.103
185.161.208.57
185.136.169.155
79.143.181.178
167.86.89.53
Hashes
b4819738a277090405f0b5bbcb31d5dd3115f7026401e5231df727da0443332a
33efd821e2484eda83e99247859286a78c16be9deea18bc1e563ad91cb789ea5
8b786784c172c6f8b241b1286a2054294e8dc2c167d9b4daae0e310a1d923ba0
e2cf71c78d198fdc0017b7bfd6ce8115301174302b3eaaf50cfc384db96bc573
7d834e9caaaadd4f7e43777873550dd195d552038e7bd7ce4319f5cd51ed5c9d
1d2da5fbedb389340e500dc6ee70be1cf60eca9007981fa9842120bb2fa434cb
cffb0b0695abe36c0d23894650214f9329c530703f52cf44bc8853ca79a107cf
476c183a7ac3435b0085d652c816b07910d081a92c83b85dfda7ba630cd4957f
afd21ef5712ffcbe4e338a5eb347f742d3c786f985ba003434568146adedb290
93ed52a96b5d2c4e4b860278640f1bce441ddab8abeff446f24cdd2086511010
67a225feedc5ce4adf75acb41e8b0e746e7daaec779225cd72f860a263b92a6e
d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e
538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6
bff6270b7c6240c394515dc2505bb9f55d7b9df700be1777a8469143f78d0eb6
4dfe62c4d3401b386b693509bcccfc0b91c72bc8365fdc68df9f7c050e35409c
cb2516e6d3a85325c9c1495cf9b5b7db93d4b7cc4e4629f248512d0a028addb1
3d79aec80dd31e41ab2b9d8b8beef97819c39561732162777488dca18440237f
5f736d23d5d7f7382afb78acdc3b125ec101c0629327fb9a7fc5545b32ec0c38
a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a
Domains
booking.msg.bluhotels.com
booking.msg.bluhotels.com
majul.com
tgservermax.duckdns.org
bjorn111.duckdns.org
gbam1234.duckdns.org
info1.duckdns.org
isns.net
qxq.ddns.net
swissaccount.ddns.net
sunnyleone.ddns.net
ddns.nanthings.xyz
tasnimnewstehran.club
eastsidepapi.myq-see.com
elumadns.eluma101.com
lawdvmercy.site
graceandfavorandlove.duckdns.org
naabz00.ddns.net
gracelogs.ddns.net
westvalleyhospicecare.theworkpc.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More