Crimson

Malware updated 3 months ago (2024-06-18T01:17:38.120Z)

Download STIX

Preview STIX

Crimson is a type of malware that has been used in various cyber-espionage campaigns, notably by ProjectM. The malware was first observed in 2013 and has been continuously employed in attacks alongside other payloads like Capra RAT and Oblique RAT. ProjectM used multiple domains to control the Crimson, Andromeda, and Peppy Trojans, one of which was "sahirlodhi[.]com". This domain was also used as the download location for a sample of the Crimson tool. Additionally, ProjectM leveraged blogs with Indian themes, such as the India News Tribe (intribune[.]blogspot[.]com), to deliver Crimson payloads. The most recent and significant use of Crimson malware is in a long-term, Chinese state-sponsored cyber-espionage operation dubbed “Crimson Palace”. Unearthed by Sophos Managed Detection and Response, this complex operation involved three different threat teams conducting coordinated attacks against a Southeast Asian government agency. The campaign demonstrated a high degree of inter-APT collaboration, involving new malware tools, more than 15 dynamic link library (DLL) sideloading efforts, and novel evasion techniques. Tools and infrastructure associated with known Chinese threat actors, most notably Worok and the APT41 subgroup Earth Longzhi, were found to overlap with those used in Operation Crimson Palace. Sophos attributes the hacking activity in Operation Crimson Palace with high confidence to clusters associated with Chinese-state-sponsored activities. Despite the complexity and sophistication of the operation, it highlights that attribution alone does not necessarily predict an attacker's next moves. As the operation demonstrates, even highly skilled groups may employ completely different techniques in subsequent attacks. The Crimson Palace campaign began the following year, led by a team Sophos refers to as Cluster Alpha. This discovery underscores the increasing sophistication and coordination among advanced persistent threats (APTs) in their cyber-espionage campaigns.

Description last updated: 2024-06-18T01:16:34.399Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Chinese

Trojan

Exploit

Espionage

State Sponso...

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Transparent Tribe	Unspecified	4	Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
APT36	Unspecified	4	APT36, also known as Transparent Tribe and Earth Karkaddan, is a threat actor group that has historically targeted government agencies and defense firms in India with cyberattacks aimed at compromising Windows systems and Android devices. The group's activities have been tracked by various cybersecu

Source Document References

Information about the Crimson Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	Bug Bounty Programs, Hacking Contests Power China's Cyber Offense
InfoSecurity-magazine	3 months ago	Chinese State-Sponsored Operation “Crimson Palace” Revealed
BankInfoSecurity	3 months ago	Chinese South China Sea Cyberespionage Campaign Unearthed
DARKReading	3 months ago	Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
CERT-EU	6 months ago	Search \| arXiv e-print repository
CERT-EU	8 months ago	Jim Harbaugh responds to Alabama players not watching film on iPads due to hacking allegations \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Hacking Concerns Rose Bowl Teams \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	NVD - CVE-2023-5719
CERT-EU	10 months ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	10 months ago	Red Lion Crimson
CISA	10 months ago	Red Lion Crimson \| CISA
CERT-EU	a year ago	Hackers Deliver Updated STRRAT Malware Using Weaponized PDF Files
CERT-EU	a year ago	Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry - GIXtools
MITRE	2 years ago	ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE	2 years ago	Transparent Tribe: Evolution analysis, part 1 \| Securelist
CERT-EU	2 years ago	Here is why Siege’s new operator Brava is going to be a game-changer with her hacking drone — SiegeGG \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security
InfoSecurity-magazine	a year ago	Pakistan-Aligned Hackers Disrupt Indian Education Sector
BankInfoSecurity	a year ago	APT36 Running Espionage Ops Against India's Education Sector
CERT-EU	a year ago	Pakistan-linked hackers target India’s education sector with Crimson malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting