Crimson

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. [1]

ID: S0115
Associated Software: MSIL/Crimson
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping Crimson contains a module to steal credentials from Web browsers on the victim machine.[1]
Enterprise T1094 Custom Command and Control Protocol Crimson uses a custom TCP protocol for C2.[1]
Enterprise T1025 Data from Removable Media Crimson contains a module to collect data from removable drives.[1]
Enterprise T1114 Email Collection Crimson contains a command to collect and exfiltrate emails from Outlook.[1]
Enterprise T1083 File and Directory Discovery Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[1]
Enterprise T1057 Process Discovery Crimson contains a command to list processes.[1]
Enterprise T1105 Remote File Copy Crimson contains a command to retrieve files from its C2 server.[1]
Enterprise T1113 Screen Capture Crimson contains a command to perform screen captures.[1]
Enterprise T1063 Security Software Discovery Crimson contains a command to collect information about anti-virus software on the victim.[1]
Enterprise T1095 Standard Non-Application Layer Protocol Crimson uses a custom TCP protocol for C2.[1]
Enterprise T1082 System Information Discovery Crimson contains a command to collect the victim PC name and operating system.[1]
Enterprise T1016 System Network Configuration Discovery Crimson contains a command to collect the victim MAC address and LAN IP.[1]

References