Crimson Rat Description
Trojan.CrimsonRat is a detection name used by cybersecurity vendors in regards to a Remote Access Trojan that is known to run as 'winservice.exe' on compromised systems. The Trojan.CrimsonRat malware is written in the Java programming language, and it is a cross-platform program that supports a Web access panel. Ironically, the payload of the Trojan is seen to arrive on systems as a file named 'securetyscan.exe,' which users may be lead to believe is a recommended security product. Hence, the UAC (User Account Control) prompt that appears during installation is not likely to raise suspicion. The Trojan.CrimsonRat is known to register a background service named 'winservice.exe' and allow a threat actor to modify and delete files on the compromised PC. Additionally, threat actors can use the CrimsonRat Trojan to download and run secondary threats on the infected machines.
The CrimsonRat Trojan is reported of attempting to suppress security alerts from several AV utilities and limit their capabilities. The first wave of attacks facilitated by the CrimsonRat Trojan was registered in Germany, but the 'Command and Control' server configuration revealed the threat actors are likely to be based in Sweden. Trojan.CrimsonRat is recorded to exchange data with the 220.127.116.11 IP address over port 12010, which is used to handle standard TCP/UDP connections. The Trojan.CrimsonRat malware is observed to report the compromised user's OS version, IP address, country of origin, keyboard layout, and a compiled list of installed software. The information may be used as a reference when the CrimsonRat operators decide to take advantage of the compromised device or sell the backdoor access to the PC via markets in the Dark Web. PC users who may have fallen a victim of the CrimsonRat malware may notice missing files, unfamiliar programs running in the background, and their AV scanner being unresponsive. It is best that you run a complete system scan with a reliable anti-spyware scanner that can detect and eliminate Trojan.CrimsonRat securely. AVs support rules designed to block the CrimsonRat from being installed. The alerts related to the CrimsonRat activation might offer the following detection names:
- RDN/Generic PWS.y
- Spyware ( 004f5c9a1 )
- a variant of MSIL/Spy.Keylogger.BNM
File System Details
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.