Another COVID-19 (Coronavirus) phishing campaign has been discovered — this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. APT36 has been active since 2016, and possibly earlier, performing cyber espionage activity against Indian defense and government activities.
The first report on the new campaign came in a RedDrip Team (the Chinese security firm QiAnXin Technology) tweet on March 12, 2020: “Malicious document, pretending to be from the Government of #India with health advisory of Coronavirus, seems delivered by #Transparent Tribe (#ProjectM). Victims are lured to enable macro to execute #Crimson #RAT payload.”
Transparent Tribe is an alternative name for APT36. It comes from early research by Proofpoint that described the use of the Crimson RAT in a watering hole attack against Indian embassies in Saudi Arabia and Kazakhstan with links to a Pakistan origin.
Malwarebytes has analyzed the documents used in the latest campaign. It describes a spear-phishing email masquerading as the Indian government linking to a fake coronavirus health advisory as the lure.
The linked document contains two hidden macros that drop Crimson RAT. The first step is to create two directories with the names ‘Edlacar’ and ‘Uahaiws’, and it then checks the OS type. Based on the OS, it chooses either a 32-bit or 64-bit version of the RAT, and drops it, zipped, into the Uahaiws directory. From here it is unzipped using the ‘UnAldZip’ function, and the payload is dropped into the Edlacar directory and executed.
Crimson RAT, as described by MITRE ATT&CK, can steal credentials from browsers, uses a custom TCP protocol for C2 communication, can collect data from removable drives, can collect and exfiltrate emails from Outlook, can list files and directories and search for specified extensions, can list processes, can fetch files from the C2 server, can collect screen captures, can collect information on any installed anti-malware products, can collect machine and OS information, and can collect the MAC address and LAN IP.
In this instance, says Malwarebytes, “Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username.”
No information about any specific victim targets is given, so there is nothing yet publicly known about the extent of this campaign — nor even if, having been discovered — it has already been suspended.
The use of COVID-19 as a phishing lure is common and not unexpected — but this is no excuse for sensationalizing the situation. There have been numerous media reports about the Chinese nation-state APT Vicious Panda. Even Malwarebytes starts its report on this APT36 phishing campaign with the comment, “According to reports from…, many state-sponsored threat actors have already started to distribute coronavirus lures, including Chinese APTs: Vicious Panda, Mustang Panda…”
But there is no ‘Vicious Panda’. The name comes from Check Point, and is the title of a Check Point report. There is no mention of a Vicious Panda in the report. Indeed, the group is described as ‘unnamed’. It is true that it is described as an ‘APT’, but it is not linked in the report to the Chinese government. It is only thought to be in China.
Part of the argument for Chinese origin comes from the use of the RoyalRoad weaponizer, that has been widely used by Chinese groups. However, in July 2019, Anomali concludedthat the author had effectively commoditized the product and was now selling it to non-nation state criminal gangs.
It may be that when this ‘unnamed’ group becomes easily recognized, it will be called Vicious Panda because of the Check Point report (just as APT36 is also known as Transparent Tribe because of the Proofpoint report). It may be that it is Chinese. It may even be that it is a China state-sponsored group. But to baldly state the campaign described by Check Point was undertaken by a Chinese state-sponsored group known as Vicious Panda is premature and just wrong sensationalism. It highlights the care that must be taken before attribution is asserted.
Related: Coronavirus-Themed Emails Deliver Malware, Phishing, Scams
Related: ‘WhiteShadow’ Downloader Employs Microsoft SQL for Malware Delivery

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
- Cyber Insights 2023 | Ransomware
- Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse
- 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis
- Cyber Insights 2023 | ICS and Operational Technology
- Cyber Insights 2023 | The Geopolitical Effect
- Cyber Insights 2023 | Criminal Gangs
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
