Crimson

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. [1]

ID: S0115
Associated Software: MSIL/Crimson

Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingCrimson contains a module to steal credentials from Web browsers on the victim machine.[1]
EnterpriseT1094Custom Command and Control ProtocolCrimson uses a custom TCP protocol for C2.[1]
EnterpriseT1025Data from Removable MediaCrimson contains a module to collect data from removable drives.[1]
EnterpriseT1114Email CollectionCrimson contains a command to collect and exfiltrate emails from Outlook.[1]
EnterpriseT1083File and Directory DiscoveryCrimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[1]
EnterpriseT1057Process DiscoveryCrimson contains a command to list processes.[1]
EnterpriseT1105Remote File CopyCrimson contains a command to retrieve files from its C2 server.[1]
EnterpriseT1113Screen CaptureCrimson contains a command to perform screen captures.[1]
EnterpriseT1063Security Software DiscoveryCrimson contains a command to collect information about anti-virus software on the victim.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolCrimson uses a custom TCP protocol for C2.[1]
EnterpriseT1082System Information DiscoveryCrimson contains a command to collect the victim PC name and operating system.[1]
EnterpriseT1016System Network Configuration DiscoveryCrimson contains a command to collect the victim MAC address and LAN IP.[1]

References