Security News > 2020 > March > APT36 Taps Coronavirus as ‘Golden Opportunity’ to Spread Crimson RAT
A Pakistani-linked threat actor, APT36, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT. The functionalities of the Crimson RAT include stealing credentials from victims' browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines.
Once victims click on the attached malicious document and enable macros, the Crimson RAT is dropped.
Finally, it calls the Shell function to execute the payload. Once downloaded, Crimson RAT connects to its hardcoded command and control IP addresses and sends collected information about the victim back to the server.
Researchers said that APT36 has used many different RAT strains in the past - including such as remote administration tool DarkComet, Luminosity RAT, and njRAT. "In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters," said researchers.
"This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria-all while compromising victims with scams or malware campaigns."