{"id":17896,"date":"2020-03-17T20:30:27","date_gmt":"2020-03-18T04:30:27","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11629\/"},"modified":"2020-03-17T20:30:27","modified_gmt":"2020-03-18T04:30:27","slug":"news-11629","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11629\/","title":{"rendered":"APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT"},"content":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Mon, 16 Mar 2020 15:00:00 +0000<\/strong><\/p>\n<p>Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a <a href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/02\/battling-online-coronavirus-scams-with-facts\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"golden opportunity for threat actors (opens in a new tab)\">golden opportunity for threat actors<\/a> to capitalize on fear, spread misinformation, and generate mass hysteria\u2014all while compromising victims with scams or malware campaigns.<\/p>\n<p>Profiting from global health concerns, <a rel=\"noreferrer noopener\" aria-label=\"natural disasters (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2019\/10\/help-prevent-disaster-donation-scams-from-causing-more-misery\/\" target=\"_blank\">natural disasters<\/a>, and other extreme weather events is nothing new for cybercriminals. Scams related to SARS, <a href=\"https:\/\/www.nclnet.org\/beware_of_h1n1_scams\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"H1N1 (swine flu) (opens in a new tab)\">H1N1 (swine flu)<\/a>, and avian flu have circulated online for more than a decade. According to <a rel=\"noreferrer noopener\" aria-label=\"reports (opens in a new tab)\" href=\"https:\/\/www.zdnet.com\/article\/state-sponsored-hackers-are-now-using-coronavirus-lures-to-infect-their-targets\/\" target=\"_blank\">reports from ZDnet<\/a>, many state-sponsored threat actors have already started to distribute coronavirus lures, including:<\/p>\n<ul>\n<li>Chinese APTs:\u00a0Vicious Panda, Mustang Panda<\/li>\n<li>North Korean APTs: Kimsuky <\/li>\n<li>Russian APTs: Hades group (believed to have ties with APT28), TA542 (<a href=\"https:\/\/blog.malwarebytes.com\/botnets\/2019\/09\/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Emotet (opens in a new tab)\">Emotet<\/a>)<\/li>\n<li>Other APTs: Sweed (Lokibot)<\/li>\n<\/ul>\n<p>Recently, the Red Drip team <a rel=\"noreferrer noopener\" aria-label=\"reported (opens in a new tab)\" href=\"https:\/\/twitter.com\/RedDrip7\/status\/1237983760802394112?s=20\" target=\"_blank\">reported<\/a> that APT36 was using a decoy health advisory document to spread a Remote Administration Tool (RAT).<\/p>\n<p>APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as <a rel=\"noreferrer noopener\" aria-label=\"Transparent Tribe (opens in a new tab)\" href=\"https:\/\/www.proofpoint.com\/sites\/default\/files\/proofpoint-operation-transparent-tribe-threat-insight-en.pdf\" target=\"_blank\">Transparent Tribe<\/a>, ProjectM, Mythic Leopard, and TEMP.Lapis. <\/p>\n<h3>APT36 spreads fake coronavirus health advisory<\/h3>\n<p>APT36 mainly relies on both <a rel=\"noreferrer noopener\" aria-label=\"spear phishing (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/\" target=\"_blank\">spear phishing<\/a> and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199.<\/p>\n<p>In the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure 1) masquerading as the government of India (<em>email.gov.in.maildrive[.]email\/?att=1579160420<\/em>). <\/p>\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1.png\" data-rel=\"lightbox-0\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42679\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/attachment\/1-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1.png\" data-orig-size=\"1098,725\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"1-1\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1-300x198.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1-600x396.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1.png\" alt=\"\" class=\"wp-image-42679\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1.png 1098w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1-300x198.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/1-1-600x396.png 600w\" sizes=\"(max-width: 1098px) 100vw, 1098px\" \/><\/a><figcaption>Figure 1: Phishing document containing malicious macro code<\/figcaption><\/figure>\n<p>We looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern from this group. The names used for directories and functions are likely Urdu names.<\/p>\n<p>The malicious document has two hidden macros that drop a RAT variant called Crimson RAT.\u00a0The malicious macro (Figure 2) first creates two directories with the names &#8220;Edlacar&#8221; and &#8220;Uahaiws&#8221; and then checks the OS type. <\/p>\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1.png\" data-rel=\"lightbox-1\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42675\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/attachment\/3-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1.png\" data-orig-size=\"1006,794\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"3-1\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1-300x237.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1-600x474.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1.png\" alt=\"\" class=\"wp-image-42675\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1.png 1006w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1-300x237.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/3-1-600x474.png 600w\" sizes=\"(max-width: 1006px) 100vw, 1006px\" \/><\/a><figcaption>Figure 2: malicious macro<\/figcaption><\/figure>\n<p>Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1 (Figure 3).<\/p>\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4.png\" data-rel=\"lightbox-2\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42676\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/attachment\/4-28\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4.png\" data-orig-size=\"1119,733\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"4\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4-300x197.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4-600x393.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4-600x393.png\" alt=\"\" class=\"wp-image-42676\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4-600x393.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4-300x197.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/4.png 1119w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><figcaption>Figure 3: embedded payloads in ZIP format<\/figcaption><\/figure>\n<p>Then it drops the zip payload into the Uahaiws directory and unzips its content using the &#8220;UnAldizip&#8221; function, dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.<\/p>\n<h3>Crimson RAT<\/h3>\n<p>The Crimson RAT has been written in .Net (Figure 4) and its capabilities include: <\/p>\n<ul>\n<li>Stealing credentials from the victim\u2019s browser<\/li>\n<li>Listing running processes, drives, and directories on the victim\u2019s machine<\/li>\n<li>Retrieving files from its C&amp;C server<\/li>\n<li>Using custom TCP protocol for its C&amp;C communications <\/li>\n<li>Collecting information about antivirus software<\/li>\n<li>Capturing screenshots<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1.png\" data-rel=\"lightbox-3\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42677\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/attachment\/2-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1.png\" data-orig-size=\"1521,779\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"2-1\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1-300x154.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1-600x307.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1.png\" alt=\"\" class=\"wp-image-42677\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1.png 1521w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1-300x154.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/2-1-600x307.png 600w\" sizes=\"(max-width: 1521px) 100vw, 1521px\" \/><\/a><figcaption>Figure 4: Crimson RAT<\/figcaption><\/figure>\n<p>Upon running the payload, Crimson RAT connects to its hardcoded C&amp;C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username (Figure 5).<\/p>\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5.png\" data-rel=\"lightbox-4\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42678\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/attachment\/5-22\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5.png\" data-orig-size=\"1261,360\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"5\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5-300x86.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5-600x171.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5.png\" alt=\"\" class=\"wp-image-42678\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5.png 1261w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5-300x86.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/5-600x171.png 600w\" sizes=\"(max-width: 1261px) 100vw, 1261px\" \/><\/a><figcaption>Figure 5: TCP communications<\/figcaption><\/figure>\n<h3>Ongoing use of RATs<\/h3>\n<p>APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT.<\/p>\n<p>In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters. They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details.<\/p>\n<h3>Protection against RATs<\/h3>\n<p>While most general users needn&#8217;t worry about nation-state attacks, organizations wanting to protect against this threat should consider using an <a rel=\"noreferrer noopener\" aria-label=\"endpoint protection system (opens in a new tab)\" href=\"https:\/\/www.malwarebytes.com\/business\/endpointprotection\/\" target=\"_blank\">endpoint protection system<\/a> or <a rel=\"noreferrer noopener\" aria-label=\"endpoint detection and response (opens in a new tab)\" href=\"https:\/\/www.malwarebytes.com\/business\/endpointdetectionresponse\/\" target=\"_blank\">endpoint detection and response<\/a> with exploit blocking and real-time malware detection. <\/p>\n<p>Shoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields against exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from unvetted sources can protect against this and other <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/08\/social-engineering-attacks-what-makes-you-susceptible\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"social engineering attacks (opens in a new tab)\">social engineering attacks<\/a> from threat actors.<\/p>\n<p>Malwarebytes users are protected against this attack. We block the malicious macro execution as well as its payload with our application behavior protection layer and real-time malware detection.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" data-attachment-id=\"42682\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/attachment\/block-13\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block.png\" data-orig-size=\"712,249\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"block\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block-300x105.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block-600x210.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block.png\" alt=\"\" class=\"wp-image-42682\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block.png 712w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block-300x105.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block-600x210.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/block-470x165.png 470w\" sizes=\"(max-width: 712px) 100vw, 712px\" \/><\/figure>\n<h3>Indicators of Compromise<\/h3>\n<p>Decoy URLs<\/p>\n<pre class=\"wp-block-preformatted\">email.gov.in.maildrive[.]email\/?att=1579160420<br \/>email.gov.in.maildrive[.]email\/?att=1581914657<\/pre>\n<p>Decoy documents<\/p>\n<pre class=\"wp-block-preformatted\">876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656<br \/>20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a<\/pre>\n<p>Crimson RAT<\/p>\n<pre class=\"wp-block-preformatted\">0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748<\/pre>\n<p>C2s<\/p>\n<pre class=\"wp-block-preformatted\">107.175.64[.]209 64.188.25[.]205<\/pre>\n<h3>MITRE ATT&amp;CK<\/h3>\n<p><a href=\"https:\/\/attack.mitre.org\/software\/S0115\/\">https:\/\/attack.mitre.org\/software\/S0115\/<\/a><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/\">APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Mon, 16 Mar 2020 15:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/' title='APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/03\/shutterstock_508344517.png' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We look at a spear phishing attack from APT36, an Advanced Persistent Threat group posing as the government of India and offering guidance on coronavirus. Instead, users are infected with a Crimson RAT that steals data.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/apt\/\" rel=\"tag\">APT<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/apt36\/\" rel=\"tag\">APT36<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/coronavirus\/\" rel=\"tag\">coronavirus<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/coronavirus-malware\/\" rel=\"tag\">coronavirus malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/covid-19\/\" rel=\"tag\">covid-19<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/credential-stealer\/\" rel=\"tag\">credential stealer<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/crimson-rat\/\" rel=\"tag\">crimson rat<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit\/\" rel=\"tag\">exploit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploits\/\" rel=\"tag\">exploits<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/info-stealer\/\" rel=\"tag\">info-stealer<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/macro\/\" rel=\"tag\">macro<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malicious-macro\/\" rel=\"tag\">malicious macro<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/nation-state-attack\/\" rel=\"tag\">nation-state attack<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rat\/\" rel=\"tag\">rat<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/remote-administration-tool\/\" rel=\"tag\">remote administration tool<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/social-engineering\/\" rel=\"tag\">Social Engineering<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spear-phishing\/\" rel=\"tag\">spear phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spear-phishing-attack\/\" rel=\"tag\">spear phishing attack<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/transparent-tribe\/\" rel=\"tag\">transparent tribe<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/' title='APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/03\/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat\/\">APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11029,24442,24152,24443,24444,24445,24446,11638,10987,24108,10515,24447,3764,22266,1810,11876,10510,11727,24448,10494,24449],"class_list":["post-17896","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-apt","tag-apt36","tag-coronavirus","tag-coronavirus-malware","tag-covid-19","tag-credential-stealer","tag-crimson-rat","tag-exploit","tag-exploits","tag-info-stealer","tag-macro","tag-malicious-macro","tag-malware","tag-nation-state-attack","tag-rat","tag-remote-administration-tool","tag-social-engineering","tag-spear-phishing","tag-spear-phishing-attack","tag-threat-analysis","tag-transparent-tribe"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17896"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17896\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17896"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}