Introduction
CrimsonRAT is a Remote Access Trojan (RAT) which targets Windows endpoints and has been employed by threat actors to access infected endpoints to capture screenshots, steal credentials and gather information. CrimsonRAT is also known as SEEDOOR and Scarimson[1]. CrimsonRAT campaigns (June 2021) targeting Indian government networks have been attributed to the threat actor group Transparent Tribe, a suspected Pakistan affiliated actor[2].
The Transparent Tribe group, also known as APT36/PROJECTM / MYTHIC LEOPARD/ COPPER FIELDSTONE, has been active since at least 2013. This group primarily targets diplomatic, defense and research organizations in India. It is suspected that this group has origins in Pakistan.
The file RingBell.exe is a 32-bit .NET malware, which is detected by FortiGuard Labs threat intelligence as AntiVirus: PossibleThreat.PALLASNET.H and tagged with Crimson/CrimsonRAT/TransparentTribe. The events in the infection and execution chain are shown in the Figure 1 below.
Figure1. Attack flow diagram of CrimsonRAT phishing campaign.
Initial Access and Execution
Reported initial access methods observed in the wild deployments of CrimsonRAT are predominantly phishing emails with malicious Microsoft Office attachments[3]. The sample analyzed as part of this article was a Microsoft Word document containing malicious macros used to drop and execute the CrimsonRAT binary. This binary is initially stored as multiple obfuscated strings within the VBA macro embedded within the malicious Office document. These strings are concatenated and the resulting executable file is written to disk at runtime. Figure 2 below depicts the Microsoft Word document used as a lure document as part of the analyzed CrimsonRAT campaign.
Figure 2. This is an example of a lure document used as part of a CrimsonRAT deployment phishing document employed by Transparent Tribe once macros have been enabled. The document displays different content once macros have been enabled.
The analyzed lure document contains malicious VBA code linked to the ‘Document_Open’ event that results in the code being executed once the user enables macros. As described in the introduction, there is an embedded file included in this macro code. This file is stored in multiple parts as strings which are concatenated by the “GenerateStringW48” function into a single string.
This string is used by another function (“ReadFileKlistankhantkmnbyfgasuyga”) which writes the file “RingBell.exe” to the Environ$"ALLUSERSPROFILE\C0E2\" directory. In our test environment this mapped to “C:\ProgramData\COE2\”. Figure 3 shows a snippet of the VBA code within the malicious macro. This VBA shows the filename and the file creation path of the first payload drop (RingBell.exe).
Two more samples have been found which contain the same string 'Klistankhantkmnbyfgasuyga', one sample is word document and other is plain text VBA script. (SHA256 Hashes: 541fee0eeaf82acdc4bf7050da7f2a685958f8568bd1efb43659d360e8583c65 and e86af2d076ca746fba5212d73227a4483ad2439efd281b86c99039726abe3c01 respectively).
The VBA script (541fee0eeaf82acdc4bf7050da7f2a685958f8568bd1efb43659d360e8583c65 ) contained RingBell.exe (8b786784c172c6f8b241b1286a2054294e8dc2c167d9b4daae0e310a1d923ba0) which has same DNS and IP traffic according to VirusTotal. The second sample e86af2d076ca746fba5212d73227a4483ad2439efd281b86c99039726abe3c01 was corrupt and not VBA as extracted from it.
Figure 3. VBA code embedded in malicious office document.
Modern endpoint detection and response (EDR) solutions, like FortiEDR, should detect and mitigate execution of an executable file extracted from an office document. FortiEDR generates a “Malicious File Detected” Event when the ‘RingBell.exe’ file is read prior to execution. This file detection is a hash-based detection provided through FortiEDR’s integration with FortiGuard Labs Threat Intelligence. This File Read detection event be seen in the Figure 4 below.
Figure 4. FortiEDR detecting file execution operation of the malicious ’RingBell.exe’ file word file is open with malicious macro enabled is opened.
To demonstrate how FortiEDR also detects files with an unknown signature, which may occur when a new variant of malware like CrimsonRAT is employed, we appended some random characters to the file and re-executed. This modifies the hash but does not affect the functionality of the sample. We can see from this detection that the hash has changed and does not match a known signature. Regardless of this, FortiEDR still flags this file as suspicious as it is assessed as having a high likelihood of being malicious by the Fortinet Cloud Services machine learning engine. This assessment can be seen below in Figure 5.
Figure 5. FortiEDR employs multiple online sandboxes and a machine learning engine as part of the Fortinet Cloud Services (FCS). This allows it to detect new versions of malware variants without known signatures
When the RingBell.exe file is executed, FortiEDR generates “File Execution Attempt” event. The “File Execution Attempt” event is part of Execution Prevention Ruleset. This ruleset prevents execution of malicious and suspicious files. Figure 6 shows the “File Execution Attempt” event.
Figure 6. File Execution rule triggered by a user attempting to execute the dropped ‘RingBell.exe’ file.
The Fondue.exe enables Windows optional features by downloading required files from Windows Update or another source specified by Group Policy. In our case it is called with the parameter "/enable-feature:NetFx3” which indicates enable .NET version 3.5 [4]. This can be used as a good Threat hunting behavior for the customers who do not have dot net programs running in their environment. If such customers observe Fondue.exe with parameter “/enable-feature:NetFx3” it is worth examining associated executables to ensure they are legitimate[5].
Initial Payload
When executed RingBell.exe writes a registry value ‘RingBell’ to the current user’s run key for persistence (SOFTWARE\Microsoft\Windows\CurrentVersion\Run). This auto-start registry path is stored as a base64 encoded string in the exe and is decoded at runtime. This code can be seen in Figure 7 below.
Figure 7. Code segment of decompiled exe file, the code section shows Autorun Registry entry being created depicting.
Persistence
On execution the executable creates a registry value with name “RingBell” in this path “HKCU\Software\Microsoft\Windows\CurrentVersion\Run“ and adds the current path of the RingBell.exe as value of this key (in our case C:\temp\RingBell.exe). This registry change is detected by the FortiEDR as “Modify OS Settings” event. Figure 8 below shows this detection.
Figure 8. FortiEDR security event generated as the CrimsonRAT executable (RingBell.exe) creates an auto-start registry entry for persistence.
This behavior can also be observed in telemetry data collected through FortiEDR threat hunting. Figure 9 below shows enriched telemetry information related to this registry modification events. Note that FortiEDR tags system events like this with MITRE behavior, tactic, and technique identifiers to make searching for noteworthy events easier.
Figure 9. FortiEDR Threat Hunting events generated because of the “RingBell.exe” (CrimsonRAT) executable creating a registry value in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run“ autorun key.
Sandbox Evasion
On execution the exe sleeps for 181 seconds (about 3 minutes) before doing any actions. We can observe this in the Figure 10 below. Interestingly we normally see malware developers use the dedicated ‘sleep’ function to pass time but in the case of this function the malware instead uses ‘DateTime.Now’ function to get a start time and simply loops until the current time is 181 seconds (about 3 minutes) higher than the start time. We assume this is an anti-sandbox technique as many modern sandboxes will detect the use of the sleep function at the start of execution and flag as a suspicious code feature for an unknown executable or patch out the sleep function to get around large delays[6].
Figure 10. Alternative method of employing a sleep, likely as an anti-debug technique to avoid sandbox detection.
The malware tries to connect to dyndns domain “swissaccount[.]ddns[.]net” which right now resolves to IP address 161[.]97[.]176[.]42. It also tries to connect to the domain “sunjaydut[.]ddns.net” which resolves to 161[.]97[.]176[.]52. This IP address is identified by Fortiguard CTS and multiple sources as CrimsonRAT C2 address. These two IP addresses are from Contabo, a Cloud VPS (Virtual Private Server) provider located in Germany.
Figure 11. FortiGuard Threat Intelligence indicates these IPs have been associated with previous CrimsonRAT C2.
The analyzed CrimsonRAT samples also includes a hardcoded list of ports which it uses when connecting to C2. The static list of ports can be seen in the code in Figure 12.
Figure 12. Static ports listed within the CrimsonRAT sample. These are used for connections to C2.
Functionality of CrimsonRAT
CrimsonRAT contains a standard array of RAT functionality as outlined in the table below. This information was taken directly from the CrimsonRAT executable and the usability of each of the functions was not tested but can be inferred based on the associated code.
|
Class/Function |
Purpose |
|
Class11 method_1 |
GetDirectories – Find directories in given path |
|
Class11 method_2 |
GetFiles – Find all files in the directory |
|
Class11 method_4 |
GetDrives – Find all drives in the computer |
|
Class11 method_5 |
DirectoryInfo – Get information about a directory |
|
Class14 method_0 |
CopyFromScreen – Get screenshot |
|
Class8 smethod_3 |
Osversion.Version.Major/Minor – Get Operating system version information |
|
Class8 smethod_4 |
Registry.CurrentUser.OpenSubkey – Open Registry key |
|
Class8 smethod_4 |
Registry.SetValue – Write Value to the Registry key |
|
GClass0 method_3 |
FileInfo – Get File information about a file |
|
GClass0 method_4 |
Reads text from TCPIP networkstream and return command from C2 |
|
GClass0 method_9 |
Process.GetProcesses() – Get all processes running on computer |
|
GClass0 method_18 |
File.Delete() – Delete specified file |
|
GClass0 method_22 |
Process.GetProcessByID.Kill() – Kill a specified process |
|
GClass0 method_23 |
File.ReadAllBytes() – Read file data |
|
GClass1 method_4 |
Registry.DeleteValue – Delete Registry Key |
|
GForm0 GForm0_FormClosing |
Sleeps for given time and then checks if Autorun registry is existing if not calls function to create autorun registry entry then closes the application |
The connection initiated to the C2 server of CrimsonRAT is blocked by the FortiEDR as a malicious connection, this can be observed in Figure 13 below.
Figure 13. CrimsonRAT C2 connection blocked by FortiEDR
When CrimsonRAT connects to it’s C2 server it receives the following command back: info=command. This communication is over a TCP/IP connection rather than a web request connection that we normally see from other RATs. After receiving this command CrimsonRAT sends the computer name, username, and installed path back to the C2 server, all retrieved from environment variables. Figure 14 shows C2 received command and Figure 15 shows the data sent by the CrimsonRAT sample to the C2.
Figure 14. Command received from C2. This command instructs the CrimsonRAT sample to return the computer name, username, and installed path back to the C2 server.
Figure 15. CrimsonRAT sending requested data from the ‘info=command’ back to C2
Secondary Payloads from C2
Following initial communication with the C2 server, CrimsonRAT downloaded four different exe files and executed them on the victim machine. A screenshot of these files is shown below in the Figure 16. All four executables are .NET compiled exe files and have similar characteristics to the original RingBell.exe file, it is believed that all of these are new variants of CrimsonRAT and one includes functionality that allows it to work as a USB worm, spreading CrimsonRAT through connected removable media.
Figure 16. Secondary Payload Exes downloaded by RingBell.exe
The telsec.exe contains hardcoded c2 domain swissaccount[.]ddns[.]net in it. This can be seen in the Figure 17. Whereas the other three exe contain hardcoded domain sunjaydut[.]ddns[.]net.
Figure 17. C2 domain hardcoded in telsec.exe
We found that the communication with this second C2 (sunjaydut[.]ddns[.]net which at the time of analysis was resolving to 161[.]97[.]176[.]52) was similar, on connection from the CrimsonRAT implant, C2 sent the info command to get victim info like Figure 14. and Figure 15.
Another interesting artifact found in the analysis of the telsec.exe file is the file contains debug strings which are likely file paths to dependencies on machine where the file was compiled. The following debug strings with path were found in the telsec.exe
|
D:\Projects\Wibemax\WinP\Middle\obj\Debug\Middle.pdb |
|
D:\Projects\Wibemax\WinP\WinP\obj\Debug\WinP.pdb |
|
D:\Projects\Wibemax\Windows RAT\1 Windows 10 Client\Win8P-Sunny\2022-04-15-Win8P Sunny\obj\Debug\FUJIKBattery.pdb |
|
D:\Projects\Wibemax\Windows RAT\7 Extra\thiaucthas\obj\x86\Debug\thiaucthas.pdb |
In the process of analyzing the four secondary payloads, these executables were executed in the FortiSandbox environment. All the payloads had hidden windows of their main processes. There are some differences between the process like the Botswana.exe and Bhutan.exe escalated the privilege to SeDebugPrivilege which indicates anti-debug techniques. Botswana.exe and Bhutan.exe both communicated with previously identified C2 servers on execution where as other two payloads did not attempt to connect to C2. Below are the process diagrams for each of the analyzed executables taken from FortiSandbox.
Figure 18. Process diagram of secondary payload Botswana.exe when executed in FortiSandbox
Figure 19. Process diagram of secondary payload Bhutan.exe when executed in FortiSandbox
Figure 20. Process diagram of secondary payload Casiowatch.exe when executed in FortiSandbox
Figure 21. Process diagram of secondary payload Telsec.exe when executed in FortiSandbox
When we compared the imphash of all the four secondary payload files they had the same imphash. Some observed differences between the executables are outlined here. Firstly, the telsec.exe executable includes code that checks if a USB drive is connected to the infected machine. If a USB drive is detected on execution, it first checks if a copy of itself is present on the USB drive or not. If a copy is not found it creates a copy of itself on the USB drive. Thus, showing characteristics of a worm spreading through USB storage devices.
All the new CrimsonRAT variants except telsec.exe created registry key for autorun of themselves after reboot in the path HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ as outlined in the above analysis of RingBell.exe.
The other three payload executables have decompiled functions similar to RingBell.exe but one major difference was they were .NET 4.x exe and the RingBell.exe was a .NET 2.x exe. We suspect that on connection from the ‘RingBell.exe’ the C2 attempts to upgrade the payload by sending newer .NET version executables.
Table 1. Telsec.exe interesting system/api call functions
|
Class/Function |
Purpose |
|
HRDD checkUSB |
Check if USB drive is connected to Machine |
|
HRDD findFile |
Search for a file name based on a given string |
|
HRDD getFiles1 |
Find all directories in the given path and files in given directory |
|
HRDD hdDrives |
Check USB worm payload exists on connected USB drive if not present copy payload to USB drive |
|
HRDD Extract |
Get Binary file from GetManifestResourceStream and write to filesystem |
|
HRDD SaveFiles |
Save files to specific directory |
Table 2. CasioWatch.exe interesting system/api call functions.
|
Class/Function |
Purpose |
|
Class61 method_0 |
CopyFromScreen – Get screenshot |
|
Class62 smethod_1 |
Process.GetProcessesByName – Get access to Process |
|
Class62 smethod_2 |
Path.GetDirecoryName – Get directory Name from Path |
|
Class62 smethod_3 |
Environment.GetFolderPath – Get Current Folder |
|
Class62 smethod_6 |
Osversion.Version.Major/Minor – Get Operating system version information |
|
Class62 smethod_7 |
Registry.CurrentUser.OpenSubkey – Open Registry key |
|
Class62 smethod_7 |
Registry.SetValue – Write Value to the Registry key |
|
Class69 method_2 |
GetDrives – Find all drives in the computer |
|
Class69 method_3 |
GetFiles – Find all files in the directory |
|
Class69 method_5 |
DirectoryInfo – Get information about a director |
|
GClass6 smethod_4 |
Registry.DeleteValue – Delete Registry Key |
|
GClass7 method_0 |
Process.GetProcessByID.Kill() – Kill a specified process |
|
GClass7 method_2 |
File.Delete() – Delete specified file |
|
GForm02 GForm2_FormClosing |
Sleeps for given time and then checks if Autorun registry is existing if not calls function to create autorun registry entry then closes the application |
Table 3. Botswana.exe interesting system/api call functions.
|
Class/Function |
Purpose |
|
Class33 method_0 |
CopyFromScreen – Get screenshot |
|
Class34 smethod_1 |
Process.GetProcessesByName – Get access to Process |
|
Class34 smethod_2 |
Path.GetDirecoryName – Get directory Name from Path |
|
Class34 smethod_3 |
Environment.GetFolderPath – Get Current Folder |
|
Class34 smethod_6 |
Osversion.Version.Major/Minor – Get Operating system version information |
|
Class34 smethod_7 |
Registry.CurrentUser.OpenSubkey – Open Registry key |
|
Class34 smethod_7 |
Registry.SetValue – Write Value to the Registry key |
|
Class41 method_3 |
GetDrives – Find all drives in the computer |
|
Class41 method_4 |
GetFiles – Find all files in the directory |
|
Class41 method_5 |
DirectoryInfo – Get information about a director |
|
GClass3 smethod_4 |
Registry.DeleteValue – Delete Registry Key |
|
GClass5 method_14 |
File.Delete() – Delete specified file |
Table 4. Bhutan.exe interesting system/API call functions.
|
Class/Function |
Purpose |
|
Class5 method_0 |
CopyFromScreen – Get screenshot |
|
Class6 smethod_1 |
Process.GetProcessesByName – Get access to Process |
|
Class6 smethod_2 |
Path.GetDirecoryName – Get directory Name from Path |
|
Class6 smethod_3 |
Environment.GetFolderPath – Get Current Folder |
|
Class6 smethod_6 |
Osversion.Version.Major/Minor – Get Operating system version information |
|
Class6 smethod_7 |
Registry.CurrentUser.OpenSubkey – Open Registry key |
|
Class6 smethod_7 |
Registry.SetValue – Write Value to the Registry key |
|
Class13 method_3 |
GetDrives – Find all drives in the computer |
|
Class13 method_4 |
GetFiles – Find all files in the directory |
|
Class13 method_5 |
DirectoryInfo – Get information about a director |
|
GClass0 smethod_4 |
Registry.DeleteValue – Delete Registry Key |
|
Gclass1 method_2 |
File.Delete() – Delete specified file |
|
GClass1 method_0 |
Process.GetProcessByID.Kill() – Kill a specified process |
|
GClass2 method_19 |
CreateDirectory(FileAttributes.Hidden – Create a Hidden directory |
Conclusion
In this article we have analyzed a CrimsonRAT executable and additional payloads downloaded from suspected Transparent Tribe infrastructure. Additionally, we have demonstrated how FortiEDR provides protection against this RAT and its subsequent payloads through both behavioral and signature based detections. We also analyzed functionality present in the downloaded payloads and process chains associated with their execution to aid defenders in understanding how execution may exhibit itself in their environments and to assist with building detections. At the time of testing adversary infrastructure was still active and signatures of analyzed payloads were not publicly available through VirusTotal or open-source research.
Threat Hunting
File creation events associated with the Word application dropping RingBell.exe can be found using the following Threat Hunting query.
Type:"File Create" AND Source.Process.File.Name:"winword.exe" AND Target.File.Name:"RingBell.exe"
Process creation event for RingBell exe executing Fondue.exe can be identified using the following threat hunting query. To make this query more generic the ‘Source.Process.Name’ field can be removed. This will identify other instances of executables downloading .NET dependencies which should be analyzed for legitimacy.
Type:"Process Creation" AND Source.Process.Name:"RingBell*.exe" AND Target.Process.Name:"Fondue.exe" AND Target.Process.CommandLine: "\/enable-feature:NetFx3 \/caller-name:mscoreei.dll"
To identify executable load events where the Fondue.exe process is launched by an unsigned exe (like RingBell.exe) we can use following threat hunting query. Note that this may induce false positives if legitimate unsigned .NET binaries are employed in an environment and should be filtered before using in production.
Target.Executable.File.Name:"Fondue.exe" NOT Source.Executable.File.Signed
To identify DNS query events for any of the C2 addresses extracted from the above analyzed sample the following threat hunting query can be used. Note that this is a new event type only available in v5.1.
Target.Network.DNS:"swissaccount.ddns.net" OR Target.Network.DNS:"sunjaydut.ddns.net"
To find TCP communication to known CrimsonRAT C2, we can find remote network connections to ports specified in the CrimsonRAT code we can use the following threat hunting query. Note that this may produce false positives in environments where these ports are used by legitimate applications.
Type:"Socket Connect" AND (RemotePort:57000 OR RemotePort:35010 OR RemotePort:47834 OR RemotePort:10019 OR RemotePort:33009)
File execution of RingBell.exe can be detected by following threat hunting query. This can be extended to cover the other CrimsonRAT variants by substituting their filenames from the below IOC list.
Target.Executable.File.Name:"RingBell*.exe"
RingBell.exe can be found in by hash lookup by using following query. This can be extended using hashes of the other CrimsonRAT variants contained in the below IOC list.
Target.Executable.File.SHA1:"8C9BE4566C40D69F18C6C9887331FBD18E2B820E"
The auto-start registry key created by the analyzed CrimsonRAT sample can be found using the threat hunting query below. This query can be made more generic to find all registry value creation events associated with this persistence TTP by removing the ‘Registry.Name’ part of the query.
Type:"Value Created" AND Registry.Name:"RingBell" AND Registry.Path:"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
File execution of secondary payloads of CrimsonRAT can be detected by the following threat hunting queries targeting observed filename. Note that this query will likely have a very limited scope for future versions of dropped payloads as filenames are easily changed.
Target.Process.File.Name:("telsec.exe" OR "CasioWatch.exe" OR "Botswana.exe" OR "Bhutan.exe")
MITRE ATT&CK
TA0001 – Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1566 |
Phishing: Malicious Attachment |
TransparentTribe uses malicious word file with embedded CrimsonRAT exe to get initial access to the victim machine. |
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.005 |
Command and Scripting Interpreter: Visual Basic (VBA) |
CrimsonRAT uses VBA Macro code embedded in a word file to drop its exe. |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1547.001 |
Registry Run Keys |
CrimsonRAT creates a AutoRun registry key with path HKCU\Software\Microsoft\Windows\CurrentVersion\Run to start its exe after reboot. This registry key is created by the CrimsonRAT binary on execution. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1140 |
Deobfuscate/Decode Files or Information: Separate chunks of executable in VBA |
Phishing email attachemnt contains VBA Macro code used to extract CrimsonRAT executable stored internally as chunked strings. On execution these strings are concatenated to create the CrimsonRAT executable which is dropped to disk by the VBA code. |
|
T1497.003 |
Virtualization/Sandbox Evasion: Time Based Evasion |
When the main function of RingBell.exe (CrimsonRAT) is executed it waits for 181 seconds before continuing the execution to avoid Sandbox detection. |
TA0008 - Lateral Movement
|
Technique ID |
Technique Description |
Observed Activity |
|
T1091 |
Replication Through Removable Media |
Observed executable ‘telsec.exe’ contains code that copies itself to attached removable media to spread through connected networks. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1095 |
Non-Application Layer Protocol |
CrimsonRAT communicates to its C2 over a TCP connection but it uses its own format of plain text communication to exchange commands and collected data. |
|
T1571 |
Non-Standard Port |
CrimsonRAT C2 uses non-standard ports for running C2 services. Ports employed: 57000, 35010, 47834, 10019, 33009. |
IOCs (Indicators Of Compromise)
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
|
CrimsonRAT C2 IP
|
161[.]97[.]176[.]42
|
IP Address
|
Command and Control
|
This IP was contacted from CrimsonRAT payload following infection.
|
|
CrimsonRAT C2 IP
|
161[.]97[.]176[.]52 |
IP Address
|
Command and Control
|
This IP was contacted from CrimsonRAT payload following infection. |
|
CrimsonRAT C2 Domain |
swissaccount[.]ddns[.]net |
Domain |
Command and Control |
This Domain was resolved, and C2 IP was contacted by RingBell.exe payload of CrimsonRAT |
|
CrimsonRAT C2 Domain |
sunjaydut[.]ddns[.]net |
Domain |
Command and Control |
This Domain was resolved, and C2 IP was contacted by payload of CrimsonRAT |
|
Mental_Health_Survey.docm Hash
|
d93c7e009506d32b0ec6434a5a42a2eb7a14307a |
SHA1 Hash
|
Initial Access
|
File hash of known malicious Microsoft Word document used for this analysis. A different Word document will likely be generated per intrusion to avoid hash-based detection.
|
|
RingBell.exe Hash
|
8c9be4566c40d69f18c6c9887331fbd18e2b820e
|
SHA1 Hash
|
Execution, Command and Control
|
Initial CrimsonRAT executable. Detection of this file hash on an endpoint indicates that the macro has successfully executed and the initial CrimsonRAT payload has been written to disk.
|
|
telsec.exe hash |
b0a68d6a2f5cb6bdf819ae0a8be417d2b294a380 |
SHA1 Hash |
Secondary Payload file |
The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it |
|
CasioWatch.exe hash |
93efe76b2268484dad8f3d390ec5802753cef32e |
SHA1 Hash |
Secondary Payload file |
The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it |
|
Botswana.exe hash |
5867b06cc8776fa38a38bdf82c224a158a0608f6 |
SHA1 Hash |
Secondary Payload file |
The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it |
|
Bhutan.exe hash |
6c2811e9af520da8747baba4eec041a96daa5c4a |
SHA1 Hash |
Secondary Payload file |
The Initial payload RingBell.exe communicated with the C2 server and downloaded this file and executed it |
[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson
[2] https://attack.mitre.org/groups/G0134/
[3] https://twitter.com/h2jazi/status/1518382259228844033
[4] https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj...
[5] https://community.fortinet.com/t5/FortiEDR/Technical-Tip-How-FortiEDR-protects-against-unknown-NET-m...
[6] https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malwar....
