Another COVID-19 (Coronavirus) phishing campaign has been discovered — this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. APT36 has been active since 2016, and possibly earlier, performing cyber espionage activity against Indian defense and government activities.
The first report on the new campaign came in a RedDrip Team (the Chinese security firm QiAnXin Technology) tweet on March 12, 2020: “Malicious document, pretending to be from the Government of #India with health advisory of Coronavirus, seems delivered by #Transparent Tribe (#ProjectM). Victims are lured to enable macro to execute #Crimson #RAT payload.”
Transparent Tribe is an alternative name for APT36. It comes from early research by Proofpoint that described the use of the Crimson RAT in a watering hole attack against Indian embassies in Saudi Arabia and Kazakhstan with links to a Pakistan origin.
Malwarebytes has analyzed the documents used in the latest campaign. It describes a spear-phishing email masquerading as the Indian government linking to a fake coronavirus health advisory as the lure.
The linked document contains two hidden macros that drop Crimson RAT. The first step is to create two directories with the names ‘Edlacar’ and ‘Uahaiws’, and it then checks the OS type. Based on the OS, it chooses either a 32-bit or 64-bit version of the RAT, and drops it, zipped, into the Uahaiws directory. From here it is unzipped using the ‘UnAldZip’ function, and the payload is dropped into the Edlacar directory and executed.
Crimson RAT, as described by MITRE ATT&CK, can steal credentials from browsers, uses a custom TCP protocol for C2 communication, can collect data from removable drives, can collect and exfiltrate emails from Outlook, can list files and directories and search for specified extensions, can list processes, can fetch files from the C2 server, can collect screen captures, can collect information on any installed anti-malware products, can collect machine and OS information, and can collect the MAC address and LAN IP.
In this instance, says Malwarebytes, “Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username.”
No information about any specific victim targets is given, so there is nothing yet publicly known about the extent of this campaign — nor even if, having been discovered — it has already been suspended.
The use of COVID-19 as a phishing lure is common and not unexpected — but this is no excuse for sensationalizing the situation. There have been numerous media reports about the Chinese nation-state APT Vicious Panda. Even Malwarebytes starts its report on this APT36 phishing campaign with the comment, “According to reports from…, many state-sponsored threat actors have already started to distribute coronavirus lures, including Chinese APTs: Vicious Panda, Mustang Panda…”
But there is no ‘Vicious Panda’. The name comes from Check Point, and is the title of a Check Point report. There is no mention of a Vicious Panda in the report. Indeed, the group is described as ‘unnamed’. It is true that it is described as an ‘APT’, but it is not linked in the report to the Chinese government. It is only thought to be in China.
Part of the argument for Chinese origin comes from the use of the RoyalRoad weaponizer, that has been widely used by Chinese groups. However, in July 2019, Anomali concludedthat the author had effectively commoditized the product and was now selling it to non-nation state criminal gangs.
It may be that when this ‘unnamed’ group becomes easily recognized, it will be called Vicious Panda because of the Check Point report (just as APT36 is also known as Transparent Tribe because of the Proofpoint report). It may be that it is Chinese. It may even be that it is a China state-sponsored group. But to baldly state the campaign described by Check Point was undertaken by a Chinese state-sponsored group known as Vicious Panda is premature and just wrong sensationalism. It highlights the care that must be taken before attribution is asserted.