A Pakistani-linked threat actor, APT36, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT.
The functionalities of the Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines. The use of such data exfiltration capabilities are common for APT36 (also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis), active since 2016.
“APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India,” said researchers with Malwarebytes in a Monday analysis. “APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests.”