Register to stream ATT&CKcon 2.0 October 29-30

Crimson

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. [1]

ID: S0115
Associated Software: MSIL/Crimson
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping Crimson contains a module to steal credentials from Web browsers on the victim machine. [1]
Enterprise T1094 Custom Command and Control Protocol Crimson uses a custom TCP protocol for C2. [1]
Enterprise T1025 Data from Removable Media Crimson contains a module to collect data from removable drives. [1]
Enterprise T1114 Email Collection Crimson contains a command to collect and exfiltrate emails from Outlook. [1]
Enterprise T1083 File and Directory Discovery Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list. [1]
Enterprise T1057 Process Discovery Crimson contains a command to list processes. [1]
Enterprise T1105 Remote File Copy Crimson contains a command to retrieve files from its C2 server. [1]
Enterprise T1113 Screen Capture Crimson contains a command to perform screen captures. [1]
Enterprise T1063 Security Software Discovery Crimson contains a command to collect information about anti-virus software on the victim. [1]
Enterprise T1095 Standard Non-Application Layer Protocol Crimson uses a custom TCP protocol for C2. [1]
Enterprise T1082 System Information Discovery Crimson contains a command to collect the victim PC name and operating system. [1]
Enterprise T1016 System Network Configuration Discovery Crimson contains a command to collect the victim MAC address and LAN IP. [1]

References