A Pakistani-linked threat actor, APT36, has been seen using a decoy health advisory, which taps into the global panic around the world thanks to the coronavirus pandemic. This advisory is used to spread the Crimson Remote Access Trojan (RAT).
The Crimson RAT can steal credentials from affected browsers, capturing screenshots, collecting information on antivirus software. It may also list drives, directories, running processes, and more. The use of these data exfiltration abilities is what is typical for the operations of APT36, also known under the names ProjectM, Mythic Leopard, Transparent Tribe, TEMP.Lapis. They have been around since 2016 or possibly before that.
APT36 suspected to have strong Pakistani ties
APT36 is believed to be a Pakistani-backed threat actor, one that mostly targets defense, embassies, and government institutions in India. The group has been known to perform cyber espionage with the intent of collecting sensitive information from India.
Researchers noticed previous campaigns run by APT36 were relying on water hole and spear-phishing tactics to get to their victims. The most recent cases of phishing emails were seen attaching a malicious macro document that aims at targeting vulnerabilities in RTF files (Rich Text Format). Using these vulnerabilities allows threat actors to execute Visual Basic scripts whenever the infected documents are opened. Examples of those vulnerabilities can be seen with CVE-2017-0199.
Emails are being used to spread the scam to India
Emails were pretending to come from a legitimate source in the Indian government (email.gov.in.maildrive[.]email/?att=1579160420) that claims it is a 'Health Advisory' that has to do with the coronavirus pandemic. Once any victims click on any of the attached malicious documents and enable the macros, the Crimson RAT is dropped and executed.
The malicious macro is known to create two directories. They're named 'Edlacar' and 'Uhaiws,' and then the macro checks the type of operating system. Based on the type of operating system, the macro will pick a 32-bit or a 64-bit version of the primary RAT payload, downloaded in .zip format. The archive is stored in one of the two textboxes in UserForm1. Once that happens, it drops the payload into the Uahaiws directory, unzipping the content while using the UnAldizip function. That drops the RAT payload in the Edlacar directory. The final step calls a Shell function that executes the remote access Trojan.
Once the Crimson RAT is connected to the hardcoded command and control server, it sends collected information about the victims back to the server. This data may include a list of IDs and their running processes, the username and machine hostname, and more. The researchers mentioned APT36 was also using different strains of RATs over the years. Examples are njRAT, DarkComet, and Luminosity RAT.
In the past, these campaigns managed to compromise the Indian military, as well as government databases, stealing data. The files included training, tactical and official documents, as well as strategic plans. They got away with personal data, text messages, contact details, passport scans, and more.
More APTs using the pandemic to spread chaos
Several APTs are using the COVID-19 pandemic at the moment of writing this to infect victims with malware strains. A Chinese APT group was seen using COVID-19 fears to infect Mongolian victims with a previously unseen malware, dubbed "Vicious Panda." The attackers keep utilizing the leverage of the coronavirus-themed attacks to spread panic around the world as the pandemic spreads in the physical world. They're using credential-stuffing scams, malware attacks, and trapped URLs.
Researchers mentioned the employees must be made aware of the ongoing scams. This is especially relevant with more businesses now moving on to a work-from-home model. The situation is used as an opportunity to spread misinformation, generate mass hysteria while capitalizing on the fears of the populace with malware campaigns.