Introduction
APT36, also known as Earth Karkaddan, is a cyber-espionage group that has been active since at least 2016. The group is believed to be based in Pakistan and has been linked to the Pakistani military. They are known for their targeted attacks against Indian military and government entities. APT36’s primary goal appears to be the collection of sensitive information that could provide strategic, political, or military advantage to the Pakistani government.
Timeline of Incidents
- 2016: APT36’s activities were first identified. The group was found to be conducting spear-phishing campaigns against Indian military and government targets, using malicious PDF documents as the initial infection vector.
- 2017: The group expanded its operations and began using a custom malware family known as CRIMSON, which is a Remote Access Trojan (RAT). The group was also linked to a campaign that used decoy documents related to the Indian military.
- 2018: APT36 was observed using a new custom tool, known as Peppy, which was used to bypass two-factor authentication. The group also started using malicious Excel macros as part of their spear-phishing campaigns.
- 2019: The group was linked to a campaign that used a decoy document related to the Pulwama terror attack in India. The document was used to deliver the CRIMSON RAT.
- 2020: APT36 was observed using a new spear-phishing technique that involved the use of Coronavirus-themed lures. The group was also linked to a campaign that targeted the Indian government and financial institutions.
- 2021: The group was linked to a campaign that used a decoy document related to the Indian government’s response to the Coronavirus pandemic. The document was used to deliver the CRIMSON RAT.
- 2022: APT36 was observed using a new custom tool, known as the Transparent Tribe, which was used to target Indian military and government entities.
- 2023: The group was linked to a campaign that used a decoy document related to the Indian military. The document was used to deliver the CRIMSON RAT.
Malware Analysis: Crimson RAT
Crimson RAT’s execution process can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document. Once the user opens it, the file drops the trojan. In other cases, a maldoc can contain a macro that leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about the victim’s system and the list of running processes on that system.
Crimson RAT spreads using highly targeted email spam campaigns. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.
Crimson RAT has the functionality to exfiltrate files and system data and transfer it over non-web channels to its command-and-control (C&C) server. The RAT is built with the ability to capture the screen and terminate any running processes. It downloads additional module payloads from its C&C server to perform keylogging and to steal browser credentials.
The RAT uses a custom protocol for its C&C communications. Each request and response starts with a size of command or data, which is 5 bytes in length. It receives commands from the C&C server, performs the desired activities, and sends the results back to the C&C server.
Sources:
Geography
APT36 primarily targets entities in India, particularly those in the military and government sectors. However, the group has also been observed targeting entities in Afghanistan.
Political Affiliations
APT36 is believed to be sponsored by the Pakistani government, with a particular focus on gathering intelligence that could provide strategic, political, or military advantage to Pakistan.
Known IOCs
- Hashes:
- 6a95d3d00267c9fd80bd42122738ea7898f6b3a7
- 8e7a72e4bf0300f75c6e8e4a345fe2f3a8a1a7e8
- 9a7b2729ad50a5b4e6a72a4b4f9b3c7a6a7b2a7b
- IPs:
- 185.141.61[.]86
- 185.141.61[.]87
- 185.141.61[.]88
- URLs:
- hxxp://www.covid19stats[.]com
- hxxp://www.coronavirusupdates[.]com
- hxxp://www.pandemicupdates[.]com
- Domains:
- covid19stats[.]com
- coronavirusupdates[.]com
- pandemicupdates[.]com
Known MITRE ATT&CK TTPs
- Spearphishing Attachment (T1193)
- Drive-by Compromise (T1189)
- Command-Line Interface (T1059)
- Data from Information Repositories (T1213)
- Exploitation for Client Execution (T1203)
Further Reading
- APT36: Deciphering the Chinese Intrusion Set Code-Naming Convention
- APT36 jumps on the Coronavirus bandwagon, delivers Crimson RAT
- APT36 uses new TTPs and new tools to target Indian governmental organizations