Crimson RAT was first identified in 2016, when it targeted Indian diplomatic and military resources to carry out APT attacks. Since then groups of malicious agents have often used it for attacks in the financial, health and space sectors.
Crimson RAT Transfection Process
The phishing email campaign used emails containing malicious attachments that were sent to the targeted organization in two different ways.
In the first case, the malicious one e-mail contained a link pointing to the PE (executable file) containing two other ZIP files with an embedded document.
As soon as the payload is executed by the victim, it automatically checks for its operating system version device, reports it to the C2 server and downloads the ZIP payload based on the 32 or 64 bit version.
In the other case, the phishing email contains a DOC file that has a malicious macro embedded. After the victims turn on the macro, the RAT payload is executed and the clean Resume / CV file is loaded.
The Crimson RAT is capable of extracting sensitive data from the affected system and then transferring it via non-online channels to its command-and-control (C&C) server.
The RAT continues to receive commands from the C&C server, performs the desired activities, and updates the results to the C2 server controlled by the intruder.