Earth Karkaddan (APT36) is analyzed through its use of CrimsonRAT on Windows and CapraRAT/ObliqueRAT on Android, detailing infection chains based on spear-phishing, USB worms, and malicious macros. The piece also covers C2 communications, persistence mechanisms, and example artifacts (domains, file names, and lures) used in campaigns. Hashtags: #EarthKarkaddan #CrimsonRAT #CapraRAT #ObliqueRAT #CLAWS
Keypoints
- APT36 (Earth Karkaddan) targets Indian military and diplomatic resources and uses CrimsonRAT for Windows alongside Android-capable CapraRAT and ObliqueRAT.
- Campaigns rely on spear-phishing emails and a USB worm as arrival vectors, with lures including fake government documents, attractive-profile honeytraps, and coronavirus-themed information.
- CapraRAT is an Android RAT with similarities to CrimsonRAT, including cross-tool design cues and shared C2 approaches, with APKs like com.example.appcode.appcode.
- The Windows chain decrypts a text-box–hidden dropper, saves it to a hardcoded path, then executes CrimsonRAT (mdkhm.zip and dlrarhsiva.exe).
- CapraRAT uses persistence via a Startup URL and C2 communications (e.g., 209.127.19.241:10284; android.viral91.xyz), indicating organized C2 infrastructure.
- ObliqueRAT is deployed via spear-phishing, delivering a document (1More-details.doc) that hides ObliqueRAT inside a BMP, with a published backdoor command set.
- The campaign includes shared download domains (sharingmymedia.com) used by both CrimsonRAT and ObliqueRAT download chains.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing attachments used to deliver malware. ‘The malicious emails feature a variety of lures to deceive victims into downloading malware, including fraudulent government documents, honeytraps showing profiles of attractive women, and recently, coronavirus-themed information.’
- [T1204.002] User Execution – Malicious macros prompting user actions to enable macro execution. ‘Once the victim downloads the malicious macro, it will decrypt an embedded executable dropper that is hidden inside a text box…’
- [T1105] Ingress Tool Transfer – Payloads downloaded and dropped after macro execution. ‘Once the victim downloads the malicious macro… it will then execute in the machine.’
- [T1027] Obfuscated/Decode Files or Information – Decrypting an embedded dropper hidden inside a text box. ‘decrypt an embedded executable dropper that is hidden inside a text box’
- [T1082] System Information Discovery – Collecting system information such as PC name and OS information via CrimsonRAT. ‘send exfiltrated information including PC name, operating system (OS) information…’
- [T1057] Process Discovery – Listing running processes as part of ObliqueRAT capabilities. ‘List running processes’ (TSK entry in backdoor commands)
- [T1547.001] Boot or Logon Autostart Execution – Persistence via Startup URL in CapraRAT. ‘Startup URL which will automatically run the ObliqueRAT malware.’
- [T1071.001] Application Layer Protocol – C2 over web protocols to download exfiltrate data and receive commands. ‘C&C server to download other malware or exfiltrate data.’
- [T1123] Audio Capture – Accessing microphone to collect audio on compromised Android devices (CapraRAT capabilities).
Indicators of Compromise
- [Domain] android.viral91.xyz – C2/domain for CapraRAT communications
- [Domain] sharingmymedia.com – shared download domain for CrimsonRAT/ObliqueRAT
- [Domain] viral91.xyz – reference domain for related activity
- [IP] 209.127.19.241:10284 – C2/server communication endpoint
- [File name] mdkhm.zip – dropped payload used to deploy CrimsonRAT
- [File name] dlrarhsiva.exe – CrimsonRAT executable used after unzip
- [File name] csd_car_price_list_2017 – phishing document lure related to CapraRAT/CLAWS domain
- [File name] 1More-details.doc – ObliqueRAT downloader document
- [APK] com.example.appcode.appcode – CapraRAT Android package name
- [Hash] d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42 – SHA-256 sample for CapraRAT-related Android sample