SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crimson (Back to overview)

Crimson RAT

aka: SEEDOOR, Scarimson

Actor(s): Operation C-Major


There is no description at this point.

References
2020-08-26Kaspersky LabsGiampaolo Dedola
@online{dedola:20200826:transparent:b6f0422, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 2}}, date = {2020-08-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-2/98233/}, language = {English}, urldate = {2020-08-27} } Transparent Tribe: Evolution analysis, part 2
AhMyth Crimson RAT Oblique RAT
2020-08-25QianxinQi'anxin Threat Intelligence
@online{intelligence:20200825:apt:0ad132f, author = {Qi'anxin Threat Intelligence}, title = {{南亚APT组织“透明部落”在移动端上与对手的较量}}, date = {2020-08-25}, organization = {Qianxin}, url = {https://www.secrss.com/articles/24995}, language = {Chinese}, urldate = {2020-08-25} } 南亚APT组织“透明部落”在移动端上与对手的较量
AhMyth Crimson RAT Oblique RAT
2020-08-20Kaspersky LabsGiampaolo Dedola
@online{dedola:20200820:transparent:b63fac6, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 1}}, date = {2020-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-1/98127/}, language = {English}, urldate = {2020-08-24} } Transparent Tribe: Evolution analysis, part 1
Crimson RAT
2020-07-08SeqriteKalpesh Mantri
@online{mantri:20200708:operation:bee5008, author = {Kalpesh Mantri}, title = {{Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India}}, date = {2020-07-08}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/}, language = {English}, urldate = {2020-07-13} } Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India
Crimson RAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-21YoroiLuigi Martire, Pietro Melillo, Antonio Pirozzi
@online{martire:20200221:transparent:eb18469, author = {Luigi Martire and Pietro Melillo and Antonio Pirozzi}, title = {{Transparent Tribe: Four Years Later}}, date = {2020-02-21}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/transparent-tribe-four-years-later}, language = {English}, urldate = {2020-03-06} } Transparent Tribe: Four Years Later
Crimson RAT
2020SecureworksSecureWorks
@online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-03-05TencentTencent
@online{tencent:20190305:transparenttribe:55798e4, author = {Tencent}, title = {{TransparentTribe APT organizes 2019 attacks on Indian government and military targets}}, date = {2019-03-05}, organization = {Tencent}, url = {https://s.tencent.com/research/report/669.html}, language = {Chinese}, urldate = {2020-01-08} } TransparentTribe APT organizes 2019 attacks on Indian government and military targets
Crimson RAT Unidentified 066 Operation C-Major
2018-05-15Amnesty InternationalBrave
@techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN
StealthAgent Crimson RAT
2016-03-01ProofpointDarien Huss
@techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } Operation Transparent Tribe
Andromeda beendoor Bezigate Crimson RAT Luminosity RAT Peepy RAT Operation C-Major
Yara Rules
[TLP:WHITE] win_crimson_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_crimson_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 3bdc df141a 94 b41f }
            // n = 4, score = 1000
            //   3bdc                 | cmp                 ebx, esp
            //   df141a               | fist                word ptr [edx + ebx]
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f

        $sequence_1 = { b41f 214008 39492d 38b9cbd1d3fe }
            // n = 4, score = 1000
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx
            //   38b9cbd1d3fe         | cmp                 byte ptr [ecx - 0x12c2e35], bh

        $sequence_2 = { 214008 39492d 38b9cbd1d3fe c81f9e56 }
            // n = 4, score = 1000
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx
            //   38b9cbd1d3fe         | cmp                 byte ptr [ecx - 0x12c2e35], bh
            //   c81f9e56             | enter               -0x61e1, 0x56

        $sequence_3 = { 55 35fdfbdfff beaed3e886 0800 }
            // n = 4, score = 1000
            //   55                   | push                ebp
            //   35fdfbdfff           | xor                 eax, 0xffdffbfd
            //   beaed3e886           | mov                 esi, 0x86e8d3ae
            //   0800                 | or                  byte ptr [eax], al

        $sequence_4 = { df141a 94 b41f 214008 }
            // n = 4, score = 1000
            //   df141a               | fist                word ptr [edx + ebx]
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax

        $sequence_5 = { 307362 c1096b bbf9910d38 5c }
            // n = 4, score = 1000
            //   307362               | xor                 byte ptr [ebx + 0x62], dh
            //   c1096b               | ror                 dword ptr [ecx], 0x6b
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp

        $sequence_6 = { bbf9910d38 5c d38aa4973fe2 3bdc }
            // n = 4, score = 1000
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl
            //   3bdc                 | cmp                 ebx, esp

        $sequence_7 = { c1096b bbf9910d38 5c d38aa4973fe2 }
            // n = 4, score = 1000
            //   c1096b               | ror                 dword ptr [ecx], 0x6b
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl

        $sequence_8 = { 94 b41f 214008 39492d }
            // n = 4, score = 1000
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx

        $sequence_9 = { 5c d38aa4973fe2 3bdc df141a }
            // n = 4, score = 1000
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl
            //   3bdc                 | cmp                 ebx, esp
            //   df141a               | fist                word ptr [edx + ebx]

    condition:
        7 of them
}
Download all Yara Rules