Pakistan Hackers Attack Indian Edu Sectors Using Weaponised Office Documents

SentinelLabs recently discovered a series of malicious Office files spreading the notorious Crimson RAT malware. 

This RAT is notorious for being utilized by the notorious Transparent Tribe group (aka APT36), which has been actively targeting the educational sector in India.

This group has been active since at least 2013 and is suspected to be based in Pakistan. Apart from this, Transparent Tribe is not very sophisticated but highly persistent since it constantly adapts its operational strategy.

SentinelLabs has observed a shift in the focus of Transparent Tribe, which had previously concentrated its attacks on Indian military and government personnel.

However, it has been observed that they have extended their target in recent times to include educational institutions in the Indian subcontinent and students in these establishments.

Among the malware arsenals of the adversary used in the group’s campaigns, Crimson RAT is a consistent staple.

Malicious Documents

Additionally, during the analysis of some Crimson RAT samples, SentinelLabs discovered that the PDB paths contained the word “Wibemax.” While “Wibemax” does match the name of a Pakistani software development company.

But, SentinelLabs researchers has not yet identified a clear relationship between the company and the adversary responsible for the Crimson RAT distribution.

The documents distributed by Transparent Tribe are designed to look like education-related content, with names like:-

• Assignment
• Assignment-no-10

While all these documents also display creation dates from July to August 2022. The malicious Office documents containing the Crimson RAT are suspected to be distributed to their targets through email phishing campaigns.

Threat actors have used several hosting services to host some malicious documents. 

Aside from using hosting services, the operators of this group also created some domains like:-

• s1.fileditch[.]ch
• cloud-drive[.]store
• drive-phone[.]online

Crimson RAT Technical Analysis

Upon analyzing the malicious documents associated with the Crimson RAT, SentinelLabs discovered that the attack methodology involves staging the RAT through the use of:-

• Microsoft Office macros
• OLE embedding 

The macros used in the distribution of the Crimson RAT are designed to create and decompress an embedded archive file in the following directory:-

• %ALLUSERSPROFILE%

While this is typically located at:-

• C:ProgramData

Once this archive file is unpacked, the macros execute the Crimson RAT payload.

There are macros that insert text into the document, which is usually educational-related and relates to India in some cases.

The other technique Transparent Tribe has adopted to stage Crimson RAT in addition to macros is using OLE embedding.

Users must double-click on some aspects of malicious documents that implement this technique.

When Transparent Tribe disseminates its documents, it shows an image as a graphic dubbed “View Document.” 

This graphic indicates that the document’s content is locked and not readily accessible.

By presenting the “View Document” graphic, Transparent Tribe lures unsuspecting users to interact with it by double-clicking. 

However, this action triggers an OLE package that stores and executes the Crimson RAT disguised as a legitimate update process named “MicrosoftUpdate.exe.”

Features of Crimson RAT

Here below, we have mentioned all the key features of Crimson RAT:-

• Exfiltrate system information
• Capture screenshots
• Start processes
• Stop processes
• Enumerate files
• Enumerate drives

Overall, the in-depth analysis of the group’s methods reveals a particular tendency towards using OLE embedding to deploy malware from lure documents. 

Furthermore, the group has adopted the Eazfuscator obfuscator to safeguard their Crimson RAT implementations. This exemplifies their distinct approach toward ensuring the stealthiness and effectiveness of their operations.

Building Your Malware Defense Strategy – Download Free E-Book