Crimson

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. [1]

ID: S0115
Associated Software: MSIL/Crimson
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

Crimson contains a module to steal credentials from Web browsers on the victim machine.[1]

Enterprise T1094 Custom Command and Control Protocol

Crimson uses a custom TCP protocol for C2.[1]

Enterprise T1025 Data from Removable Media

Crimson contains a module to collect data from removable drives.[1]

Enterprise T1114 Email Collection

Crimson contains a command to collect and exfiltrate emails from Outlook.[1]

Enterprise T1083 File and Directory Discovery

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[1]

Enterprise T1057 Process Discovery

Crimson contains a command to list processes.[1]

Enterprise T1105 Remote File Copy

Crimson contains a command to retrieve files from its C2 server.[1]

Enterprise T1113 Screen Capture

Crimson contains a command to perform screen captures.[1]

Enterprise T1063 Security Software Discovery

Crimson contains a command to collect information about anti-virus software on the victim.[1]

Enterprise T1095 Standard Non-Application Layer Protocol

Crimson uses a custom TCP protocol for C2.[1]

Enterprise T1082 System Information Discovery

Crimson contains a command to collect the victim PC name and operating system.[1]

Enterprise T1016 System Network Configuration Discovery

Crimson contains a command to collect the victim MAC address and LAN IP.[1]

References