Another COVID-19 (Coronavirus) phishing campaign has been discovered -- this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. APT36 has been active since 2016, and possibly earlier, performing cyber espionage activity against Indian defense and government activities.
The first report on the new campaign came in a RedDrip Team (the Chinese security firm QiAnXin Technology) tweet on March 12, 2020: "Malicious document, pretending to be from the Government of #India with health advisory of Coronavirus, seems delivered by #Transparent Tribe (#ProjectM). Victims are lured to enable macro to execute #Crimson #RAT payload."
Transparent Tribe is an alternative name for APT36. It comes from early research by Proofpoint that described the use of the Crimson RAT in a watering hole attack against Indian embassies in Saudi Arabia and Kazakhstan with links to a Pakistan origin.
Malwarebytes has analyzed the documents used in the latest campaign. It describes a spear-phishing email masquerading as the Indian government linking to a fake coronavirus health advisory as the lure.
The linked document contains two hidden macros that drop Crimson RAT. The first step is to create two directories with the names 'Edlacar' and 'Uahaiws', and it then checks the OS type. Based on the OS, it chooses either a 32-bit or 64-bit version of the RAT, and drops it, zipped, into the Uahaiws directory. From here it is unzipped using the 'UnAldZip' function, and the payload is dropped into the Edlacar directory and executed.
Crimson RAT, as described by MITRE ATT&CK, can steal crede ..
Support the originator by clicking the read the rest link below.
