In the last 3 months, we have noticed increased activity from APT36, a Pakistan-linked Cyber Threat actor. The target this time are personnel belonging to defence organizations & other Government organizations in India.
In the recent wave of attacks, APT36 is using honey trapping technique to lure their targets. The “honey trap” operations use fake profiles of attractive women to entice targets into opening their emails or chatting over messaging platforms, ultimately leading them into downloading malware.
Some of the attachment names that we found in the current themed attack:
When target opens such attachment, it drops MSIL based Crimson RAT which has been used by APT36 in many of their past attacks. This RAT is used for data-stealing activities and sending them to a CnC server.
Operation ‘Honey Trap’
Indian Army has described ‘honey trap’ cases as a weapon of hybrid warfare being waged by the enemy across the borders. The same theme is now being used by APT36 to lure its targets.
This campaign continues to use two separate infection chains. These two infection techniques of APT36 have remained the same in the past couple of years.
In the first chain, a spear-phishing email has a macro loaded document as an attachment. This document is responsible to execute a dropper module that starts the Crimson RAT tool to perform malicious activity.
In the second chain, a spear-phishing email attachment directly contains a dropper module within a zip file. This dropper component opens a decoy document for the victim and runs Crimson RAT tool in the background to perform malicious activity.
The second infection chain is not so successful in organizations as their firewalls usually block ‘EXE’ filetype within an email. This is the main reason, it is targeting personal accounts of individuals related to the Indian Defence sector.
Crimson RAT remains a popular arsenal on APT36 group. We had published details of another APT36 attack last month; working of the malware remains the same.
Summarized behaviour of this RAT-
- List processes
- Kill process
- Execute commands
- Drives, files and directory traversal
- Delete files
- Execute files
- Search for file extensions
- Metadata extraction
- Capture Screen:
- Single and Continuous screenshots
- Get Thumbnails, Screen Size
- Data Exfiltration:
- Download from C2
- Upload to C2
Shown here are some functionality implementations in crimson RAT code:
It is a well-established fact, that APT36 targets defence and other critical sector organizations. Usually, their targets are individuals and organizations which are of strategic interest to India’s western neighbour. However, in this campaign, interestingly, some of the targeted entities belong to organizations based in the eastern states in India! In last one year, this is the second instance where we saw APT36 targeting organizations of interest to India’s eastern neighbour
IOCs associated to the honeytrap campaign:
Subject matter experts: