SentinelLabs tracks a cluster of malicious Office documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe), targeting the education sector in the Indian subcontinent. The researchers note ongoing evolution in Crimson RAT implementations and the use of OLE embedding to stage malware from lure documents, signaling a broader targeting strategy and tactic development. #APT36 #TransparentTribe #CrimsonRAT #IndianEducationSector #Wibemax #ZainHosting
Keypoints
- AP T36/Transparent Tribe are distributing Crimson RAT via malicious Office documents directed at educational institutions in the Indian subcontinent.
- The group is evolving its malware staging techniques, adding OLE embedding alongside macros to stage Crimson RAT.
- Lure documents resemble education-themed content and have been hosted on attacker domains/file hosting services (e.g., s1.fileditch[.]ch, cloud-drive[.]store, drive-phone[.]online).
-
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – The lure documents have education-themed content and are distributed to targets as attachments to phishing emails. [ ‘Based on known behavior of this group, we suspect that the documents have been distributed to targets as attachments to phishing emails.’ ]
- [T1204.002] User Execution: Malicious File – The malicious documents require user action (opening/double-click) to trigger payloads. [ ‘The documents distributed by Transparent Tribe typically display an image (a “View Document” graphic) indicating that the document content is locked. This lures users to double-click the graphic to view the content, which activates an OLE package that stores and executes Crimson RAT’ ]
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Office macros are used to stage and execute Crimson RAT. [ ‘The macro code executes when the documents are opened’ ]
- [T1547.001] Registry Run Keys/Startup Folder – Persistence by creating a registry key under SOFTWAREMicrosoftWindowsCurrentVersionRun. [ ‘establish persistence by creating a registry key under SOFTWAREMicrosoftWindowsCurrentVersionRun’ ]
- [T1036] Masquerading – The Crimson RAT payload is masqueraded as an update process (MicrosoftUpdate.exe). [ ‘Crimson RAT masquerading as an update process (MicrosoftUpdate.exe)’ ]
- [T1027] Obfuscated/Compressed Files and Information – Use of obfuscation techniques including Eazfuscator; some variants patch the trial period evaluation. [ ‘the addition of Eazfuscator to the obfuscation techniques used by Transparent Tribe’ ]
- [T1071.001] Web Protocols – Command and Control domain used for C2 (richa-sharma.ddns[.]net). [ ‘richa-sharma.ddns[.]net for C2 purposes’ ]
Indicators of Compromise
- [SHA1] Malicious document – 738d31ceca78ffd053403d3b2bc15847682899a0, 9ed39c6a3faab057e6c962f0b2aaab07728c5555, and 3 more hashes
- [SHA1] Crimson RAT – 516db7998e3bf46858352697c1f103ef456f2e8e, 842f55579db786e46b20f7a7053861170e1c0c5e, and 3 more hashes
- [Domain] C2/hosting – richa-sharma.ddns[.]net, cloud-drive[.]store, and 2 more domains