SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crimsonias (Back to overview)

CrimsonIAS

Actor(s): Mustang Panda

According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.

References
2021-01-27ThreatConnectThreatConnect Research Team
CrimsonIAS: Listening for an 3v1l User
CrimsonIAS
Yara Rules
[TLP:WHITE] win_crimsonias_w0 (20210203 | Detects CrimsonIAS which is a Delphi backdoor that spins up a listener and awaits commands from the operator.)
import "pe"

rule win_crimsonias_w0 {
    meta:
        author = "@XOR_Hex"
        description = "Detects CrimsonIAS which is a Delphi backdoor that spins up a listener and awaits commands from the operator."
        date = "2020-09-08"
        reference = ""
        hash = "891ece4c40a7bf31f414200c8c2c31192fd159c1316012724f3013bd0ab2a68e"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias"
        malpedia_version = "20210203"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $command_marker = { 66 99 66 33 }
        $command_code_1 = { 81 ?? 00 66 00 00 }
        $command_code_2 = { 81 ?? 01 11 00 00 }
        $command_code_response_1 = { 01 66 00 00 }
        $command_code_response_2 = { 02 66 00 00 }
        $delphi = "Embarcadero Delphi"
    condition:
        pe.characteristics & pe.DLL
        and $command_marker
        and all of ($command_code_*)
        and all of ($command_code_response_*)
        and $delphi
}
Download all Yara Rules