Pakistan nexus threat group (APT36) drops Crimson RAT against unknown targets

Volon Threat Research identified a malicious sample named “India and Afghanistan on Parliamentary Affairs” which was uploaded to public file scanning service on April 17, 2020. This report presents the analysis findings of the sample by Volon Research.

Our analysis indicates, that based on the malware Lure, Crimson RAT payload, and the C2 (Command & Control) infrastructure, the threat actor group possibly appears to be Pakistan nexus group (APT36) targeting Indian government entities.

Technical Analysis:

The section will cover the technical analysis performed by Volon Threat Research.

  • Below describes the dropper analysis
    • File name: India and Afghanistan on Parliamentary Affairs.exe
    • FileType: Win32 EXE
    • MD5: 48a00c1a8c9b39c96152e8ca80b7a972
    • SHA-1: 77f06e791df9613a8f1a98432ff40d79dbde3bd5
    • SHA-256: 3c7eb76db2a503d495d1332dc50acbcf511d56a6ff5a7f1a5f9c16c5efc10b5d
    • Creation Date: 2020-01-30
    • First Submission: 2020-04-13

 

(Lure Template)

 

Initial Dropper is coded in .NET. and supports till .NET version 2.x compatibility. This indicates the backward compatibility support to get executed in maximum target systems as possible.

(Dropper – PE Info)

The dropper is designed to write decoded buffer into files in specified directories. This technique is common to evade antiviruses to avoid static analysis and also to perform prior checks on the infected hosts for any countermeasures installed.

(Encapsulated buffer in dropper)

 

In the below screenshot, we can clearly see the PDF is being written to the disk inside path “C:\Users\{username}\Documents” and saved with the same name as of dropper itself.

 

(Lure PDF template dropped)

 

(Environment Variables Enumeration)

The last job for a dropper is to drop Crimson RAT on disk and run. The binary is dropped on the path “C:\ProgramData” creating a folder “Dllb”. Also, we noticed a zip file is being dropped, and out of that zip file an executable is extracted which is the main payload for the Crimson RAT. We’ve noticed this pattern of dropping is followed up several times by APT 36 in past activities.

 

  • Below describes the Crimson RAT Analysis:
    • File name: mtdlhsrivan.exe
    • FileType: Win32 EXE
    • MD5: a183d42bd09cd0a92bff2a39fa9d3921
    • SHA-1: a818cb13ecf31f392bd7b22fd67ed4617051c22a
    • SHA-256: ae9684b8c2dbcfa487d0b2d614b2214bfe3c80407244f5d39828aa91225c57bf
    • Creation Date 2020-01-23
    • First Submission 2020-04-15

RAT is purely coded in .NET as well and supports all .NET versions.

 

(Crimson RAT- PE info)

RAT is interactive to support basic functionalities like screen capture, screen size enumeration, commands execution, process list, process kill, etc. below is the complete list of all functionalities supported by the framework.

Payload gains its persistence into the infected host using the commonly known technique “Modifying Registry Keys”. The registry key: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
Although it fails to add an entry into the registry key and persistence doesn’t work properly.

 

 

Also, we noticed Crimson RAT uses custom protocol to communicate on an arbitrary port to connect to C2 – Command and Control server.

 

(Network analysis – Wireshark Packet Capture)

 

About APT36:

APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

 

About Crimson RAT:

Crimson RAT is being used in various campaigns in the past by APT36. The RAT has been written in .Net and its capabilities include:

  • Stealing credentials from the victim’s browser
  • Listing running processes, drives, and directories on the victim’s machine
  • Retrieving files from its C&C server
  • Using custom TCP protocol for its C&C communications
  • Collecting information about antivirus software
  • Capturing screenshots

(MITRE ATT&CK tracking link of the RAT): https://attack.mitre.org/software/S0115/

Reflections

In early August 2018, Volon Threat Research published a blog about a campaign which was observed to be dropping Crimson RAT targeting officials of Indian Ministry of External Affairs, based on the campaign TTPs and payload, the activity was attributed to Pakistani APT group APT36 (Transparent Tribe). [Read More: https://volon.io/2018/09/07/targeted-attack-on-indian-ministry-of-external-affairs-using-crimson-rat/%5D.

In March 2020, security firm ‘Malware Bytes’ released a report on “APT36, conducting a phishing campaign against multiple Indian-based targets using Corona virus Lure”. The C2 64.188.25[.]205 used in the reported campaign from March matches the one in this report as well. Additionally, Volon also reported on the group targeting an Indian Financial Institution with Crimson RAT to its customers.

Volon recommends organization(s) specifically falling under target geography to block the IoC’s mentioned in this report on the security sensors and EDR agents. Also, we suggest performing a hunt across the infrastructure network for an existing sign of compromise. Additionally, organization(s) could create correlation rules of the IoC’s for detecting future campaigns.

Indicators

a43253312d356abe9ddf36b4cce50d82
64.188.25.205
48a00c1a8c9b39c96152e8ca80b7a972
a183d42bd09cd0a92bff2a39fa9d3921

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).