Pakistan-linked APT36 accused of using coronavirus to propagate Trojans

Malwarebytes claims Pakistan state-sponsored group is using a fake Indian government advisory to spread remote-access Trojan

Pakistan-linked APT36 is using a supposed coronavirus health advisory from the Indian government in a bid to propagate a remote-access Trojan.

That's according to a report today from security software vendor Malwarebytes, which warns that APT36 is just one of a number of threat groups trying to use take advantage of coronavirus hysteria to conduct cyber attacks.

"APT36 is believed to be a Pakistani state sponsored threat actor mainly targeting the defense, embassies and the government of India by performing cyber-espionage operations with the intent of collecting sensitive information that supports Pakistani military and diplomatic interests," Malwarebytes' Threat Intelligence Team claims.

It continues: "The group is mainly relying on both spear phishing and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an RTF file exploiting vulnerabilities, such as CVE-2017-0199.

"In the coronavirus-themed attack, APT36 used a spear phishing email with a link masquerading as the government of India to a malicious document."

The attacks are consistent with tactics previously associated with the group.

"The malicious document has two hidden macros that drop a variant of RAT called Crimson RAT. The malicious [spreadsheet] macro first creates two directories with the names of ‘Edlacar' and ‘Uahaiws' and then checks the OS type and based on the OS type it decide to pick either 32-bit or 64-bit version of its RAT payload in zip format."

The Crimson RAT has a range of capabilities. It can:

• Steal credentials from web browsers;
• List running processes, drives and directories on targets' PCs;
• Use a custom TCP protocol to communicate with the command and control server;
• Retrieve new files from the command and control server;
• Collect information about anti-virus software running on the PC; and,
• Capture screenshots.

Intriguingly, perhaps, IP addresses for the command and control servers are hardcoded.

"APT36 has used many different malware families in the past, mostly remote administration tools (BreachRAT, DarkComet, Luminosity RAT, or njRAT).

"During past campaigns, they were able to compromise Indian military and government to steal sensitive data including army strategy and training documents, tactical documents, and other official letters. They also were able to steal personal data such as passport scans and personal identification documents, text messages and contact details."

APT36 is just one of a number of state-linked groups looking to take advantage of the crisis. These include China-linked APTs dubbed Vicious Panda and Mustang Panda, the North Korean APT it labels Kimsuky, and Russian groups Hades and TA 542, also known as Emotet.