CrimsonIAS Backdoor Description
A New Delphi-based backdoor threat that has been active since at least 2017 has been discovered by the researchers. If fully deployed, the malware allows the attackers to execute arbitrary commands by running command-line tools, exfiltrated selected files, or drop additional files to the compromised machine. The analysis revealed that the CrimsonIAS Backdoor exhibits a peculiar trait that is no ofter seen among this type of malware - instead of acting as a beacon-like most Windows-based backdoors, the CrimsonIAS Backdoor runs only in listening mode as it awaits incoming connections. This signals that the targeted machine must be open to the public Internet or that the attackers have some other way of accessing the victim's network.
Although not enough to act as solid evidence, researchers did find out that several characteristics of the CrimsonIAS Backdoor are similar to aspects of corrupted PlugX samples used in the operations of the hacker group Mustang Panda (also known as BRONZE PRESIDENT and RedDelta). The group is believed to be a Chinese-based espionage actor that concentrates its activities primarily on Mongolia, Vietnam, and Hong Kong targets. Among its usual range of targets are non-government organizations (NGOs), political entities and law enforcement agencies. The three main similarities between the CrimsonIAS Backdoor and the MustangPanda PlugX samples are the use of 10-byte XOR key prepended to the encrypted binary, shellcode similarities in the MZ header and the use of an exported loader function.
The hackers behind the CrimsonIAS Backdoor have been introducing new techniques to the threat's capabilities steadily to keep pace with modern trends, although the rate of improvement is not sufficient to say that the CrimsonIAS Backdoor is still under active development. The biggest change can be observed in the way that the corrupted code is being executed. In earlier versions, the backdoor functionality was initiated through a Windows service registered and launched through a CPIApplet exported function. Newer versions of the threat have moved away from that method altogether and now employ a reflective loader technique, a feature seen in several different malware families.