SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crimson (Back to overview)

Crimson RAT

aka: SEEDOOR, Scarimson

Actor(s): Operation C-Major

VTCollection    

It was first discovered in 2017 and has since been used to attack organizations around the world. The malware is often distributed through phishing emails or by exploiting vulnerabilities in outdated security software. Once Crimson RAT is installed on a computer, it can be used to steal data, spy on users, and even take control of the infected computers.

Some of the features of Crimson RAT include:

Remote control of infected computers
Data theft, such as passwords, files, and emails
User spying
Takeover of infected computers
Locking of infected computers
Extortion of payments

References
2024-12-04LumenBlack Lotus Labs, Danny Adamitis, Ryan English
Snowblind: The Invisible Hand of Secret Blizzard
Crimson RAT TwoDash
2024-12-04MicrosoftMicrosoft Threat Intelligence
Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage
Crimson RAT MiniPocket TwoDash Wainscot Operation C-Major
2024-07-23K7 SecurityDhanush
Threat actors target recent Election Results
Crimson RAT
2024-04-24SeqriteSathwik Ram Prakki
Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections
AllaKore Crimson RAT
2023-10-12Cluster25Cluster25 Threat Intel Team
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
Agent Tesla Crimson RAT Nanocore RAT SmokeLoader
2023-07-13BrandefenseBrandefense
APT 36 Campaign – Poseidon Malware Technical Analysis
Poseidon Crimson RAT Oblique RAT
2023-05-02SeqriteSathwik Ram Prakki
Transparent Tribe APT actively lures Indian Army amidst increased targeting of Educational Institutions
Crimson RAT
2022-08-12BrandefenseBrandefense
Mythic Leopard APT Group
Crimson RAT DarkComet NjRAT Oblique RAT Peppy RAT
2022-07-13CiscoNick Biasini
Transparent Tribe begins targeting education sector in latest campaign
Crimson RAT Oblique RAT
2022-05-11K7 SecuritySaikumaravel
Transparent Tribe Targets Educational Institution
Crimson RAT
2022-03-29Cisco TalosAsheer Malhotra, Justin Thattil, Kendall McKay
Transparent Tribe campaign uses new bespoke malware to target Indian government officials
Crimson RAT
2022-03-29Bleeping ComputerBill Toulas
Hackers use modified MFA tool against Indian govt employees
Crimson RAT Oblique RAT
2022-03-10Twitter (@Katechondic)Katechondic
Tweet on additional computer names "desktop-g1i8n3f" & "desktop-j6llo2k", seen with Crimson RAT C2 infrastructure used by APT36
Crimson RAT
2022-03-10Twitter (@teamcymru_S2)Team Cymru
Tweet on Crimson RAT infrastructure used by APT36
Crimson RAT
2022-01-24Trend MicroTrend Micro
Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal
CapraRAT Crimson RAT Oblique RAT Operation C-Major
2022-01-24Trend MicroTrend Micro
Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal (IOCs)
Crimson RAT Oblique RAT
2022-01-24Trend MicroTrend Micro
Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal
Crimson RAT Oblique RAT
2021-12-22Know ChuangyuKnow Chuangyu
APT Tracking Analytics: Transparent Tribe Attack Activity
Crimson RAT
2021-10-13Anchored Narratives on Threat Intelligence and GeopoliticsRJM
Trouble in Asia and the Middle East. Tracking the TransparentTribe threat actor.
Crimson RAT
2021-09-08Microstep Intelligence BureauMicrostep Online Research Response Center
Trilateral operation: years of cyberespionage against countries in south asia and the middle east (APT36)
AndroRAT Crimson RAT
2021-09-01360 Threat Intelligence CenterAdvanced Threat Institute
APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert
Crimson RAT NetWire RC
2021-07-02Team CymruJoshua Picolet
Transparent Tribe APT Infrastructure Mapping Part 2: A Deeper Dive into the Identification of CrimsonRAT Infrastructure
Crimson RAT
2021-05-13TalosAsheer Malhotra, Justin Thattil, Kendall McKay
Transparent Tribe APT expands its Windows malware arsenal
Crimson RAT Oblique RAT
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-30Cybleinccybleinc
Transparent Tribe Operating with a New Variant of Crimson RAT
Crimson RAT
2021-04-20360 Threat Intelligence CenterAdvanced Threat Institute
Transparent Tribe uses the new crown vaccine hotspot to analyze the targeted attacks on the Indian medical industry
Crimson RAT
2021-04-16Team CymruJoshua Picolet
Transparent Tribe APT Infrastructure Mapping Part 1: A High-Level Study of CrimsonRAT Infrastructure October 2020 – March 2021
Crimson RAT
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-18Twitter (@teamcymru)Team Cymru
Tweet on APT36 CrimsonRAT C2
Crimson RAT
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-08-26Kaspersky LabsGiampaolo Dedola
Transparent Tribe: Evolution analysis, part 2
AhMyth Crimson RAT Oblique RAT
2020-08-25QianxinQi'anxin Threat Intelligence
南亚APT组织“透明部落”在移动端上与对手的较量
AhMyth Crimson RAT Oblique RAT
2020-08-20Kaspersky LabsGiampaolo Dedola
Transparent Tribe: Evolution analysis, part 1
Crimson RAT
2020-07-08SeqriteKalpesh Mantri
Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India
Crimson RAT
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-21YoroiAntonio Pirozzi, Luigi Martire, Pietro Melillo
Transparent Tribe: Four Years Later
Crimson RAT
2020-01-01SecureworksSecureWorks
COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-03-05TencentTencent
TransparentTribe APT organizes 2019 attacks on Indian government and military targets
Crimson RAT Unidentified 066 Operation C-Major
2018-05-15Amnesty InternationalBrave
HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN
StealthAgent Crimson RAT
2016-03-01ProofpointDarien Huss
Operation Transparent Tribe
Andromeda beendoor Bezigate Crimson RAT Luminosity RAT Operation C-Major
Yara Rules
[TLP:WHITE] win_crimson_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_crimson_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 3bdc df141a 94 b41f }
            // n = 4, score = 1000
            //   3bdc                 | cmp                 ebx, esp
            //   df141a               | fist                word ptr [edx + ebx]
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f

        $sequence_1 = { b41f 214008 39492d 38b9cbd1d3fe }
            // n = 4, score = 1000
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx
            //   38b9cbd1d3fe         | cmp                 byte ptr [ecx - 0x12c2e35], bh

        $sequence_2 = { 214008 39492d 38b9cbd1d3fe c81f9e56 }
            // n = 4, score = 1000
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx
            //   38b9cbd1d3fe         | cmp                 byte ptr [ecx - 0x12c2e35], bh
            //   c81f9e56             | enter               -0x61e1, 0x56

        $sequence_3 = { 55 35fdfbdfff beaed3e886 0800 }
            // n = 4, score = 1000
            //   55                   | push                ebp
            //   35fdfbdfff           | xor                 eax, 0xffdffbfd
            //   beaed3e886           | mov                 esi, 0x86e8d3ae
            //   0800                 | or                  byte ptr [eax], al

        $sequence_4 = { df141a 94 b41f 214008 }
            // n = 4, score = 1000
            //   df141a               | fist                word ptr [edx + ebx]
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax

        $sequence_5 = { 307362 c1096b bbf9910d38 5c }
            // n = 4, score = 1000
            //   307362               | xor                 byte ptr [ebx + 0x62], dh
            //   c1096b               | ror                 dword ptr [ecx], 0x6b
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp

        $sequence_6 = { bbf9910d38 5c d38aa4973fe2 3bdc }
            // n = 4, score = 1000
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl
            //   3bdc                 | cmp                 ebx, esp

        $sequence_7 = { c1096b bbf9910d38 5c d38aa4973fe2 }
            // n = 4, score = 1000
            //   c1096b               | ror                 dword ptr [ecx], 0x6b
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl

        $sequence_8 = { 94 b41f 214008 39492d }
            // n = 4, score = 1000
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx

        $sequence_9 = { 5c d38aa4973fe2 3bdc df141a }
            // n = 4, score = 1000
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl
            //   3bdc                 | cmp                 ebx, esp
            //   df141a               | fist                word ptr [edx + ebx]

    condition:
        7 of them
}
Download all Yara Rules