APT36, also known as The Transparent Tribe, is a cyber espionage group targeting Indian defense, government, and education sectors. They have developed various versions of the Crimson RAT, showcasing significant evolution and complexities in their functionalities and evasion techniques. Affected: India, Cybersecurity, Government, Defense, Education
Keypoints :
- APT36 is linked to Pakistan and targets Indian sectors.
- Crimson RAT has multiple versions, evolving from basic to advanced functionalities.
- Version 1.0.0.0 includes features like screen capture and process management.
- Version 2.1.0.0 introduces new evasion techniques and capabilities such as lateral movement via USB.
- The group showcases an increase in sophistication of their cyber attacks.
- Dynamic DNS domains are utilized for Command & Control (C2) operations.
MITRE Techniques :
- Command and Control (T1071) – Uses Dynamic DNS domains for C2 operations.
- Exfiltration Over Command and Control Channel (T1041) – Exfiltrates files, potentially in a split manner to evade detection.
- Remote Access Tool (T1219) – Implemented via Crimson RAT for gaining remote access.
- Process Injection (T1055) – Techniques used to avoid detection and persist within the environment.
- Data Encrypted (T1041) – Employs encryption for exfiltrated data to avoid detection.
Indicator of Compromise :
- [MD5] 8a1f4a512fe9edbcc62ba4b1c3e08f0a (Crimson RAT v1.0.0.0 – rlbwrarhsa)
- [MD5] 77c29d464efcae961424ae050453ef11 (Crimson RAT v1.0.0.0 – drmaiprave)
- [MD5] fed22809d70062733cd1c34e16b75c05 (Crimson RAT v1.0.0.0 – jivarthr_edis)
- [MD5] e40e0a71efd051374be1663e08f0dbd8 (Crimson RAT v2.1.0.0 – Kosovo)
- [Domain] richa-sharma.ddns.net (Crimson RAT v2.1.0.0)
Full Story: https://malwareanalysisspace.blogspot.com/2025/04/the-evolution-of-apt36s-crimson-rat.html
Views: 55