Threat actors leveraged a document claiming to report Indian Election Results to drop the Crimson RAT, a tool associated with the Transparent Tribe APT. The campaign also used an Excel file disguised as a university syllabus to drop the same Crimson RAT payload. #CrimsonRAT #TransparentTribe #LokSabhaElection
Keypoints
- The Crimson RAT payload is dropped via a macro-enabled .docm document, tied to the Transparent Tribe APT.
- The document contains embedded files, including the Crimson RAT payload and a decoy Election results document, extracted with olevba.
- Decoded embedded base64 content to obtain the Crimson RAT and then write/deploy it as a screensaver (hacrvidth vibev.scr) in the User’s Documents folder.
- A second Excel file disguised as a university syllabus also drops the same Crimson RAT payload (Masquerading as a decoy).
- The malware implements persistence by creating a Run registry entry for the current user and uses sleep delays to hinder sandbox analysis before C2 communication.
- The C2 uses a hardcoded domain/IP and supports a list of commands (including exfiltration, process listing, screenshots, file operations, and more).
- IOCs include multiple Crimson RAT hashes, a domain and an IP address, and decoy file hashes used in the campaign.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The initial vector is a .docm file which has by default macro enabled setting. ‘The initial vector was a .docm file which has by default macro enabled setting.’
- [T1204.002] User Execution – The document file contains embedded files, which includes the “Crimson RAT” payload and the Election results document. ‘This document file contains embedded files, which includes the “Crimson RAT” payload and the Election results document.’
- [T1132.001] Data Encoding – The embedded components use base64 encoding and are decoded to extract the payload. ‘All the three files contain a base64 encoded zip file having the “Crimson RAT” payload.’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – The RAT creates a Run registry entry for persistence. ‘run registry persistence’.
- [T1071.001] Web Protocols – The malware communicates with a hardcoded C2 domain/IP and sends/receives commands. ‘On connecting to the C2 server, the command and data to the process … are sent.’
- [T1036] Masquerading – The second Excel file is disguised as a syllabus, masking its true purpose. ‘disguised as the syllabus of a university.’
Indicators of Compromise
- [Hash] context – Election Lure: 4473b78e67067a9299227cc02b8e28e2, ad90e16ea4a9fe11525da7669cb4b8ee
- [Hash] context – Crimson RAT: e6f4bb8ed235f43cb738447fbf1757c3, da2331ac3e073164d54bcc5323cf0250, a54c435bdbc17608fa0b8826bbe9936d, 7a18b1bf9b07726327ba50e549764731, d6b38a2272876d039d48b46aa874e7b9, f49375748b279565b5aed83d9ee01eb2
- [Domain] waqers[.duckdns[.com – Hardcoded C2 domain used by the malware
- [IP] 94.72.105.227 – Hardcoded C2 IP used by the malware
- [Decoy] Election Decoy – 24fc6cacfbf0f87d2a24be7361c78c76, Syllabus Decoy – 4166a122e5eac964ba9f4b22e2881052
Read more: https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/