FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
agat
Staff
Staff
Article Id 215398

Introduction

CrimsonRAT is a Remote Access Trojan (RAT) which targets Windows endpoints and has been employed by threat actors to access infected endpoints to capture screenshots, steal credentials and gather information. CrimsonRAT is also known as SEEDOOR and Scarimson[1]. CrimsonRAT campaigns (June 2021) targeting Indian government networks have been attributed to the threat actor group Transparent Tribe, a suspected Pakistan affiliated actor[2].

The Transparent Tribe group, also known as APT36/PROJECTM / MYTHIC LEOPARD/ COPPER FIELDSTONE, has been active since at least 2013. This group primarily targets diplomatic, defense and research organizations in India. It is suspected that this group has origins in Pakistan.

The file RingBell.exe is a 32-bit .NET malware, which is detected by FortiGuard Labs threat intelligence as  AntiVirus: PossibleThreat.PALLASNET.H and tagged with Crimson/CrimsonRAT/TransparentTribe. The events in the infection and execution chain are shown in the Figure 1 below.

 

agat_20-1655876332840.png

 

Figure1. Attack flow diagram of CrimsonRAT phishing campaign.

 

Initial Access and Execution

 

Reported initial access methods observed in the wild deployments of CrimsonRAT are predominantly phishing emails with malicious Microsoft Office attachments[3]. The sample analyzed as part of this article was a Microsoft Word document containing malicious macros used to drop and execute the CrimsonRAT binary. This binary is initially stored as multiple obfuscated strings within the VBA macro embedded within the malicious Office document. These strings are concatenated and the resulting executable file is written to disk at runtime. Figure 2 below depicts the Microsoft Word document used as a lure document as part of the analyzed CrimsonRAT campaign.

 

agat_21-1655876332841.png

 

Figure 2. This is an example of a lure document used as part of a CrimsonRAT deployment phishing document employed by Transparent Tribe once macros have been enabled. The document displays different content once macros have been enabled.

 

 

The analyzed lure document contains malicious VBA code linked to the ‘Document_Open’ event that results in the code being executed once the user enables macros. As described in the introduction, there is an embedded file included in this macro code. This file is stored in multiple parts as strings which are concatenated by the “GenerateStringW48” function into a single string.

This string is used by another function (“ReadFileKlistankhantkmnbyfgasuyga”) which writes the file “RingBell.exe” to the Environ$"ALLUSERSPROFILE\C0E2\" directory. In our test environment this mapped to  “C:\ProgramData\COE2\”.  Figure 3 shows a snippet of the VBA code within the malicious macro. This VBA shows the filename and the file creation path of the first payload drop (RingBell.exe).

 

Two more samples have been found which contain the same string 'Klistankhantkmnbyfgasuyga', one sample is word document and other is plain text VBA script. (SHA256 Hashes: 541fee0eeaf82acdc4bf7050da7f2a685958f8568bd1efb43659d360e8583c65 and e86af2d076ca746fba5212d73227a4483ad2439efd281b86c99039726abe3c01 respectively).

 

The VBA script (541fee0eeaf82acdc4bf7050da7f2a685958f8568bd1efb43659d360e8583c65 ) contained RingBell.exe (8b786784c172c6f8b241b1286a2054294e8dc2c167d9b4daae0e310a1d923ba0) which has same DNS and IP traffic according to VirusTotal. The second sample e86af2d076ca746fba5212d73227a4483ad2439efd281b86c99039726abe3c01 was corrupt and not VBA as extracted from it.

 

agat_22-1655876332846.png

 

Figure 3. VBA code embedded in malicious office document.

 

 

Modern endpoint detection and response (EDR) solutions, like FortiEDR, should detect and mitigate execution of an executable file extracted from an office document. FortiEDR generates a “Malicious File Detected” Event when the ‘RingBell.exe’ file is read prior to execution. This file detection is a hash-based detection provided through FortiEDR’s integration with FortiGuard Labs Threat Intelligence. This File Read detection event be seen in the Figure 4 below.

 

agat_23-1655876332853.jpeg

 

Figure 4. FortiEDR detecting file execution operation of the malicious ’RingBell.exe’ file word file is open with malicious macro enabled is opened.

 

 

To demonstrate how FortiEDR also detects files with an unknown signature, which may occur when a new variant of malware like CrimsonRAT is employed, we appended some random characters to the file and re-executed. This modifies the hash but does not affect the functionality of the sample. We can see from this detection that the hash has changed and does not match a known signature. Regardless of this, FortiEDR still flags this file as suspicious as it is assessed as having a high likelihood of being malicious by the Fortinet Cloud Services machine learning engine. This assessment can be seen below in Figure 5.

 

agat_24-1655876332858.jpeg

 

Figure 5. FortiEDR employs multiple online sandboxes and a machine learning engine as part of the Fortinet Cloud Services (FCS). This allows it to detect new versions of malware variants without known signatures

 

 

When the RingBell.exe file is executed, FortiEDR generates “File Execution Attempt” event. The “File Execution Attempt” event is part of Execution Prevention Ruleset. This ruleset prevents execution of malicious and suspicious files. Figure 6 shows the “File Execution Attempt” event.

 

agat_25-1655876332863.jpeg

 

Figure 6. File Execution rule triggered by a user attempting to execute the dropped ‘RingBell.exe’ file.

 

 

The Fondue.exe enables Windows optional features by downloading required files from Windows Update or another source specified by Group Policy. In our case it is called with the parameter "/enable-feature:NetFx3” which indicates enable .NET version 3.5 [4]. This can be used as a good Threat hunting behavior for the customers who do not have dot net programs running in their environment. If such customers observe Fondue.exe with parameter “/enable-feature:NetFx3” it is worth examining associated executables to ensure they are legitimate[5].

 

Initial Payload

 

When executed RingBell.exe writes a registry value ‘RingBell’ to the current user’s run key for persistence (SOFTWARE\Microsoft\Windows\CurrentVersion\Run). This auto-start registry path is stored as a base64 encoded string in the exe and is decoded at runtime. This code can be seen in Figure 7 below.

 

agat_26-1655876332867.png

 

Figure 7. Code segment of decompiled exe file, the code section shows Autorun Registry entry being created depicting.

 

Persistence

 

On execution the executable creates a registry value with name “RingBell” in this path “HKCU\Software\Microsoft\Windows\CurrentVersion\Run“ and adds the current path of the RingBell.exe as value of this key (in our case C:\temp\RingBell.exe). This registry change is detected by the FortiEDR as “Modify OS Settings” event. Figure 8 below shows this detection.

 

agat_27-1655876332875.jpeg

 

Figure 8. FortiEDR security event generated as the CrimsonRAT executable (RingBell.exe) creates an auto-start registry entry for persistence.

 

 

This behavior can also be observed in telemetry data collected through FortiEDR threat hunting. Figure 9 below shows enriched telemetry information related to this registry modification events. Note that FortiEDR tags system events like this with MITRE behavior, tactic, and technique identifiers to make searching for noteworthy events easier.

 

agat_28-1655876332881.jpeg

 

Figure 9. FortiEDR Threat Hunting events generated because of the “RingBell.exe” (CrimsonRAT) executable creating a registry value in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run“ autorun key.

 

Sandbox Evasion

 

On execution the exe sleeps for 181 seconds (about 3 minutes) before doing any actions. We can observe this in the Figure 10 below. Interestingly we normally see malware developers use the dedicated ‘sleep’ function to pass time but in the case of this function the malware instead uses ‘DateTime.Now’ function to get a start time and simply loops until the current time is 181 seconds (about 3 minutes) higher than the start time. We assume this is an anti-sandbox technique as many modern sandboxes will detect the use of the sleep function at the start of execution and flag as a suspicious code feature for an unknown executable or patch out the sleep function to get around large delays[6].

 

agat_29-1655876332884.png

 

Figure 10. Alternative method of employing a sleep, likely as an anti-debug technique to avoid sandbox detection.

 

 

The malware tries to connect to dyndns domain “swissaccount[.]ddns[.]net” which right now resolves to IP address 161[.]97[.]176[.]42. It also tries to connect to the domain “sunjaydut[.]ddns.net” which resolves to 161[.]97[.]176[.]52. This IP address is identified by Fortiguard CTS and multiple sources as CrimsonRAT C2 address. These two IP addresses are from Contabo, a Cloud VPS (Virtual Private Server) provider located in Germany.

 

agat_30-1655876332887.jpeg

 

Figure 11. FortiGuard Threat Intelligence indicates these IPs have been associated with previous CrimsonRAT C2.

 

 

The analyzed CrimsonRAT samples also includes a hardcoded list of ports which it uses when connecting to C2. The static list of ports can be seen in the code in Figure 12.

 

agat_31-1655876332888.png

 

Figure 12. Static ports listed within the CrimsonRAT sample. These are used for connections to C2.

 

Functionality of CrimsonRAT

 

CrimsonRAT contains a standard array of RAT functionality as outlined in the table below. This information was taken directly from the CrimsonRAT executable and the usability of each of the functions was not tested but can be inferred based on the associated code.

 

Class/Function

Purpose

Class11 method_1

GetDirectories – Find directories in given path

Class11 method_2

GetFiles – Find all files in the directory

Class11 method_4

GetDrives – Find all drives in the computer

Class11 method_5

DirectoryInfo – Get information about a directory

Class14 method_0

CopyFromScreen – Get screenshot

Class8 smethod_3

Osversion.Version.Major/Minor – Get Operating system version information

Class8 smethod_4

Registry.CurrentUser.OpenSubkey – Open Registry key

Class8 smethod_4

Registry.SetValue – Write Value to the Registry key

GClass0 method_3

FileInfo – Get File information about a file

GClass0 method_4

Reads text from TCPIP networkstream and return command from C2

GClass0 method_9

Process.GetProcesses() – Get all processes running on computer

GClass0 method_18

File.Delete() – Delete specified file

GClass0 method_22

Process.GetProcessByID.Kill() – Kill a specified process

GClass0 method_23

File.ReadAllBytes() – Read file data

GClass1 method_4

Registry.DeleteValue – Delete Registry Key

GForm0 GForm0_FormClosing

Sleeps for given time and then checks if Autorun registry is existing if not calls function to create autorun registry entry then closes the application

 

 

The connection initiated to the C2 server of CrimsonRAT is blocked by the FortiEDR as a malicious connection, this can be observed in Figure 13 below.

 

agat_32-1655876332893.jpeg

 

Figure 13. CrimsonRAT C2 connection blocked by FortiEDR

 

 

When CrimsonRAT connects to it’s C2 server it receives the following command back:  info=command. This communication is over a TCP/IP connection rather than a web request connection that we normally see from other RATs. After receiving this command CrimsonRAT sends the computer name, username, and installed path back to the C2 server, all retrieved from environment variables. Figure 14 shows C2 received command and Figure 15 shows the data sent by the CrimsonRAT sample to the C2.

 

agat_33-1655876332894.png

 

Figure 14. Command received from C2. This command instructs the CrimsonRAT sample to return the computer name, username, and installed path back to the C2 server.

 

agat_34-1655876332895.png

 

Figure 15. CrimsonRAT sending requested data from the ‘info=command’ back to C2

 

Secondary Payloads from C2

 

Following initial communication with the C2 server, CrimsonRAT downloaded four different exe files and executed them on the victim machine. A screenshot of these files is shown below in the Figure 16. All four executables are .NET compiled exe files and have similar characteristics to the original RingBell.exe file, it is believed that all of these are new variants of CrimsonRAT and one includes functionality that allows it to work as a USB worm, spreading CrimsonRAT through connected removable media.

 

agat_35-1655876332897.png

 

Figure 16. Secondary Payload Exes downloaded by RingBell.exe

 

 

The telsec.exe contains hardcoded c2 domain swissaccount[.]ddns[.]net in it. This can be seen in the Figure 17. Whereas the other three exe contain hardcoded domain sunjaydut[.]ddns[.]net.

 

agat_36-1655876332899.png

 

Figure 17. C2 domain hardcoded in telsec.exe

 

 

We found that the communication with this second C2 (sunjaydut[.]ddns[.]net which at the time of analysis was resolving to 161[.]97[.]176[.]52) was similar, on connection from the CrimsonRAT implant, C2 sent the info command to get victim info like Figure 14. and Figure 15.

Another interesting artifact found in the analysis of the telsec.exe file is the file contains debug strings which are likely file paths to dependencies on machine where the file was compiled. The following debug strings with path were found in the telsec.exe

 

D:\Projects\Wibemax\WinP\Middle\obj\Debug\Middle.pdb

D:\Projects\Wibemax\WinP\WinP\obj\Debug\WinP.pdb

D:\Projects\Wibemax\Windows RAT\1 Windows 10 Client\Win8P-Sunny\2022-04-15-Win8P Sunny\obj\Debug\FUJIKBattery.pdb

D:\Projects\Wibemax\Windows RAT\7 Extra\thiaucthas\obj\x86\Debug\thiaucthas.pdb

 

In the process of analyzing the four secondary payloads, these executables were executed in the FortiSandbox environment. All the payloads had hidden windows of their main processes. There are some differences between the process like the Botswana.exe and Bhutan.exe escalated the privilege to SeDebugPrivilege which indicates anti-debug techniques. Botswana.exe and Bhutan.exe both communicated with previously identified C2 servers on execution where as other two payloads did not attempt to connect to C2. Below are the process diagrams for each of the analyzed executables taken from FortiSandbox.

 

agat_37-1655876332905.jpeg

 

Figure 18. Process diagram of secondary payload Botswana.exe when executed in FortiSandbox

 

 

agat_38-1655876332909.jpeg

 

Figure 19. Process diagram of secondary payload Bhutan.exe when executed in FortiSandbox

 

agat_39-1655876332913.jpeg

 

Figure 20. Process diagram of secondary payload Casiowatch.exe when executed in FortiSandbox

 

agat_40-1655876332915.jpeg

 

Figure 21. Process diagram of secondary payload Telsec.exe when executed in FortiSandbox

 

 

When we compared the imphash of all the four secondary payload files they had the same imphash. Some observed differences between the executables are outlined here. Firstly, the telsec.exe executable includes code that checks if a USB drive is connected to the infected machine. If a USB drive is detected on execution, it first checks if a copy of itself is present on the USB drive or not. If a copy is not found it creates a copy of itself on the USB drive. Thus, showing characteristics of a worm spreading through USB storage devices.

 

All the new CrimsonRAT variants except telsec.exe created registry key for autorun of themselves after reboot in the path HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ as outlined in the above analysis of RingBell.exe.

 

The other three payload executables have decompiled functions similar to RingBell.exe but one major difference was they were .NET 4.x exe and the RingBell.exe was a .NET 2.x exe. We suspect that on connection from the ‘RingBell.exe’ the C2 attempts to upgrade the payload by sending newer .NET version executables.

 

Table 1. Telsec.exe interesting system/api call functions

 

Class/Function

Purpose

HRDD checkUSB

Check if USB drive is connected to Machine

HRDD findFile

Search for a file name based on a given string

HRDD getFiles1

Find all directories in the given path and files in given directory

HRDD hdDrives

Check USB worm payload exists on connected USB drive if not present copy payload to USB drive

HRDD Extract

Get Binary file from GetManifestResourceStream and write to filesystem

HRDD SaveFiles

Save files to specific directory

 

Table 2. CasioWatch.exe interesting system/api call functions.

 

Class/Function

Purpose

Class61 method_0

CopyFromScreen – Get screenshot

Class62 smethod_1

Process.GetProcessesByName – Get access to Process

Class62 smethod_2

Path.GetDirecoryName – Get directory Name from Path

Class62 smethod_3

Environment.GetFolderPath – Get Current Folder

Class62 smethod_6

Osversion.Version.Major/Minor – Get Operating system version information

Class62 smethod_7

Registry.CurrentUser.OpenSubkey – Open Registry key

Class62 smethod_7

Registry.SetValue – Write Value to the Registry key

Class69 method_2

GetDrives – Find all drives in the computer

Class69 method_3

GetFiles – Find all files in the directory

Class69 method_5

DirectoryInfo – Get information about a director

GClass6 smethod_4

Registry.DeleteValue – Delete Registry Key

GClass7 method_0

Process.GetProcessByID.Kill() – Kill a specified process

GClass7 method_2

File.Delete() – Delete specified file

GForm02 GForm2_FormClosing

Sleeps for given time and then checks if Autorun registry is existing if not calls function to create autorun registry entry then closes the application

 

Table 3. Botswana.exe interesting system/api call functions.

 

Class/Function

Purpose

Class33 method_0

CopyFromScreen – Get screenshot

Class34 smethod_1

Process.GetProcessesByName – Get access to Process

Class34 smethod_2

Path.GetDirecoryName – Get directory Name from Path

Class34 smethod_3

Environment.GetFolderPath – Get Current Folder

Class34 smethod_6

Osversion.Version.Major/Minor – Get Operating system version information

Class34 smethod_7

Registry.CurrentUser.OpenSubkey – Open Registry key

Class34 smethod_7

Registry.SetValue – Write Value to the Registry key

Class41 method_3

GetDrives – Find all drives in the computer

Class41 method_4

GetFiles – Find all files in the directory

Class41 method_5

DirectoryInfo – Get information about a director

GClass3 smethod_4

Registry.DeleteValue – Delete Registry Key

GClass5 method_14

File.Delete() – Delete specified file

 

Table 4. Bhutan.exe interesting system/API call functions.

 

Class/Function

Purpose

Class5 method_0

CopyFromScreen – Get screenshot

Class6 smethod_1

Process.GetProcessesByName – Get access to Process

Class6 smethod_2

Path.GetDirecoryName – Get directory Name from Path

Class6 smethod_3

Environment.GetFolderPath – Get Current Folder

Class6 smethod_6

Osversion.Version.Major/Minor – Get Operating system version information

Class6 smethod_7

Registry.CurrentUser.OpenSubkey – Open Registry key

Class6 smethod_7

Registry.SetValue – Write Value to the Registry key

Class13 method_3

GetDrives – Find all drives in the computer

Class13 method_4

GetFiles – Find all files in the directory

Class13 method_5

DirectoryInfo – Get information about a director

GClass0 smethod_4

Registry.DeleteValue – Delete Registry Key

Gclass1 method_2

File.Delete() – Delete specified file

GClass1 method_0

Process.GetProcessByID.Kill() – Kill a specified process

GClass2 method_19

CreateDirectory(FileAttributes.Hidden – Create a Hidden directory

 

Conclusion

 

In this article we have analyzed a CrimsonRAT executable and additional payloads downloaded from suspected Transparent Tribe infrastructure. Additionally, we have demonstrated how FortiEDR provides protection against this RAT and its subsequent payloads through both behavioral and signature based detections. We also analyzed functionality present in the downloaded payloads and process chains associated with their execution to aid defenders in understanding how execution may exhibit itself in their environments and to assist with building detections. At the time of testing adversary infrastructure was still active and signatures of analyzed payloads were not publicly available through VirusTotal or open-source research.

 

Threat Hunting

 

File creation events associated with the Word application dropping RingBell.exe can be found using the following Threat Hunting query.

 

 

Type:"File Create" AND Source.Process.File.Name:"winword.exe" AND  Target.File.Name:"RingBell.exe"

 

 

Process creation event for RingBell exe executing Fondue.exe can be identified using the following threat hunting query. To make this query more generic the ‘Source.Process.Name’ field can be removed. This will identify other instances of executables downloading .NET dependencies which should be analyzed for legitimacy.

 

 

Type:"Process Creation" AND Source.Process.Name:"RingBell*.exe" AND Target.Process.Name:"Fondue.exe" AND Target.Process.CommandLine: "\/enable-feature:NetFx3 \/caller-name:mscoreei.dll"

 

 

To identify executable load events where the Fondue.exe process is launched by an unsigned exe (like RingBell.exe) we can use following threat hunting query. Note that this may induce false positives if legitimate unsigned .NET binaries are employed in an environment and should be filtered before using in production.

 

 

Target.Executable.File.Name:"Fondue.exe" NOT Source.Executable.File.Signed

 

 

To identify DNS query events for any of the C2 addresses extracted from the above analyzed sample the following threat hunting query can be used. Note that this is a new event type only available in v5.1.

 

 

Target.Network.DNS:"swissaccount.ddns.net" OR Target.Network.DNS:"sunjaydut.ddns.net"

 

 

To find TCP communication to known CrimsonRAT C2, we can find remote network connections to ports specified in the CrimsonRAT code we can use the following threat hunting query. Note that this may produce false positives in environments where these ports are used by legitimate applications.

 

 

Type:"Socket Connect" AND (RemotePort:57000 OR RemotePort:35010 OR RemotePort:47834 OR RemotePort:10019 OR RemotePort:33009)

 

 

File execution of RingBell.exe can be detected by following threat hunting query. This can be extended to cover the other CrimsonRAT variants by substituting their filenames from the below IOC list.

 

 

Target.Executable.File.Name:"RingBell*.exe"

 

 

RingBell.exe can be found in by hash lookup by using following query. This can be extended using hashes of the other CrimsonRAT variants contained in the below IOC list.

 

 

Target.Executable.File.SHA1:"8C9BE4566C40D69F18C6C9887331FBD18E2B820E"

 

 

The auto-start registry key created by the analyzed CrimsonRAT sample can be found using the threat hunting query below. This query can be made more generic to find all registry value creation events associated with this persistence TTP by removing the ‘Registry.Name’ part of the query.

 

 

Type:"Value Created" AND Registry.Name:"RingBell" AND  Registry.Path:"Software\\Microsoft\\Windows\\CurrentVersion\\Run"

 

 

File execution of secondary payloads of CrimsonRAT can be detected by the following threat hunting queries targeting observed filename. Note that this query will likely have a very limited scope for future versions of dropped payloads as filenames are easily changed.

 

 

Target.Process.File.Name:("telsec.exe" OR "CasioWatch.exe" OR "Botswana.exe" OR "Bhutan.exe")

 

 

 

MITRE ATT&CK

 

TA0001 – Initial Access

 

Technique ID

Technique Description

Observed Activity

T1566

Phishing: Malicious Attachment

TransparentTribe uses malicious word file with embedded CrimsonRAT exe to get initial access to the victim machine.

 

TA0002 - Execution

 

Technique ID

Technique Description

Observed Activity

T1059.005

Command and Scripting Interpreter: Visual Basic (VBA)

CrimsonRAT uses VBA Macro code embedded in a word file to drop its exe.

 

TA0003 - Persistence

 

Technique ID

Technique Description

Observed Activity

T1547.001

Registry Run Keys

CrimsonRAT creates a AutoRun registry key with path HKCU\Software\Microsoft\Windows\CurrentVersion\Run to start its exe after reboot. This registry key is created by the CrimsonRAT binary on execution.

 

TA0005 - Defense Evasion

 

Technique ID

Technique Description

Observed Activity

T1140

Deobfuscate/Decode Files or Information: Separate chunks of executable in VBA

Phishing email attachemnt contains VBA Macro code used to extract CrimsonRAT executable stored internally as chunked strings. On execution these strings are concatenated to create the CrimsonRAT executable which is dropped to disk by the VBA code.

T1497.003

Virtualization/Sandbox Evasion: Time Based Evasion

When the main function of RingBell.exe (CrimsonRAT) is executed it waits for 181 seconds before continuing the execution to avoid Sandbox detection.

 

TA0008 - Lateral Movement

 

Technique ID

Technique Description

Observed Activity

T1091

Replication Through Removable Media

Observed executable ‘telsec.exe’ contains code that copies itself to attached removable media to spread through connected networks.

 

TA0011 – Command and Control

 

Technique ID

Technique Description

Observed Activity

T1095

Non-Application Layer Protocol

CrimsonRAT communicates to its C2 over a TCP connection but it uses its own format of plain text communication to exchange commands and collected data.

T1571

Non-Standard Port

CrimsonRAT C2 uses non-standard ports for running C2 services. Ports employed: 57000, 35010, 47834, 10019, 33009.

 

 

IOCs (Indicators Of Compromise)

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

CrimsonRAT C2 IP

 

161[.]97[.]176[.]42 

 

IP Address

 

Command and Control

 

This IP was contacted from CrimsonRAT payload following infection.

 

CrimsonRAT C2 IP

 

161[.]97[.]176[.]52 

IP Address

 

Command and Control

 

This IP was contacted from CrimsonRAT payload following infection.

CrimsonRAT C2 Domain

swissaccount[.]ddns[.]net

Domain

Command and Control

This Domain was resolved, and C2 IP was contacted by RingBell.exe payload of CrimsonRAT

CrimsonRAT C2 Domain

sunjaydut[.]ddns[.]net

Domain

Command and Control

This Domain was resolved, and C2 IP was contacted by payload of CrimsonRAT

Mental_Health_Survey.docm Hash

 

 d93c7e009506d32b0ec6434a5a42a2eb7a14307a

SHA1 Hash

 

Initial Access

 

File hash of known malicious Microsoft Word document used for this analysis. A different Word document will likely be generated per intrusion to avoid hash-based detection.

 

  RingBell.exe Hash

 

8c9be4566c40d69f18c6c9887331fbd18e2b820e

 

SHA1 Hash

 

Execution, Command and Control

 

Initial CrimsonRAT executable. Detection of this file hash on an endpoint indicates that the macro has successfully executed and the initial CrimsonRAT payload has been written to disk.

 

 telsec.exe hash

b0a68d6a2f5cb6bdf819ae0a8be417d2b294a380

SHA1 Hash

Secondary Payload file 

The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it

 CasioWatch.exe hash

93efe76b2268484dad8f3d390ec5802753cef32e

SHA1 Hash

Secondary Payload file 

The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it

 Botswana.exe hash

5867b06cc8776fa38a38bdf82c224a158a0608f6

SHA1 Hash

Secondary Payload file 

The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it

Bhutan.exe hash

6c2811e9af520da8747baba4eec041a96daa5c4a

SHA1 Hash

Secondary Payload file 

The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it

 

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson

[2] https://attack.mitre.org/groups/G0134/

[3] https://twitter.com/h2jazi/status/1518382259228844033

[4] https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj...

[5] https://community.fortinet.com/t5/FortiEDR/Technical-Tip-How-FortiEDR-protects-against-unknown-NET-m...

[6] https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malwar....