APT36 uses Coronavirus to Spread Crimson RAT
APT36, has been using fake health advisory about the global panic around the coronavirus pandemic to spread the Crimson RAT. Crimson RAT functions include stealing credentials from browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines. The use of such data exfiltration capabilities are common for APT36 which has been active since 2016.
Previous APT36 campaigns mainly relied on spear phishing and watering hole attacks to gain its foothold on victims. This most recent phishing email attaches a malicious macro document that targets vulnerabilities in RTF files. This is a high-severity Microsoft vulnerability, which allows hackers to execute Visual Basic script when a user opens a malicious Microsoft Office RTF document.
The email pretends to aHealth Advisory regarding the coronavirus pandemic. Once victims click on the attached malicious document and enable macros, the Crimson RAT is dropped. The malicious macro first creates two directories with the names Edlacar and Uahaiws and then checks the OS type. Based on the OS type, the macro then picks either a 32-bit or 64-bit version of its RAT payload in zip format, which is stored in one of the two textboxes in UserForm1. Then, it drops the zip payload into the Uahaiws directory and unzips its content, dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.
Coronavirus has been usedby various APTs over the last week to infect victims with malware. Last week a Chinese APT group was spotted leveraging COVID-19 to infect Mongolian victims with a previously unknown malware called Vicious Panda. Beyond that, hackers continue to leverage coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams.