S0115 Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.21
| Item | Value |
|---|---|
| ID | S0115 |
| Associated Names | MSIL/Crimson |
| Type | MALWARE |
| Version | 1.3 |
| Created | 31 May 2017 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| MSIL/Crimson | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Crimson can use a HTTP GET request to download its final payload.2 |
| enterprise | T1123 | Audio Capture | Crimson can perform audio surveillance using microphones.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Crimson can add Registry run keys for persistence.21 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Crimson has the ability to execute commands with the COMSPEC environment variable.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Crimson contains a module to steal credentials from Web browsers on the victim machine.21 |
| enterprise | T1005 | Data from Local System | Crimson can collect information from a compromised host.3 |
| enterprise | T1025 | Data from Removable Media | Crimson contains a module to collect data from removable drives.21 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Crimson can decode its encoded PE file prior to execution.2 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Crimson contains a command to collect and exfiltrate emails from Outlook.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Crimson can exfiltrate stolen information over its C2.3 |
| enterprise | T1083 | File and Directory Discovery | Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.213 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Crimson has the ability to delete files from a compromised host.213 |
| enterprise | T1105 | Ingress Tool Transfer | Crimson contains a command to retrieve files from its C2 server.213 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Crimson can use a module to perform keylogging on compromised hosts.213 |
| enterprise | T1112 | Modify Registry | Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.2 |
| enterprise | T1095 | Non-Application Layer Protocol | Crimson uses a custom TCP protocol for C2.21 |
| enterprise | T1120 | Peripheral Device Discovery | Crimson has the ability to discover pluggable/removable drives to extract files from.21 |
| enterprise | T1057 | Process Discovery | Crimson contains a command to list processes.213 |
| enterprise | T1012 | Query Registry | Crimson can check the Registry for the presence of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate to determine how long it has been installed on a host.2 |
| enterprise | T1091 | Replication Through Removable Media | Crimson can spread across systems by infecting removable media.1 |
| enterprise | T1113 | Screen Capture | Crimson contains a command to perform screen captures.213 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Crimson contains a command to collect information about anti-virus software on the victim.21 |
| enterprise | T1082 | System Information Discovery | Crimson contains a command to collect the victim PC name, disk drive information, and operating system.213 |
| enterprise | T1614 | System Location Discovery | Crimson can identify the geographical location of a victim host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Crimson contains a command to collect the victim MAC address and LAN IP.21 |
| enterprise | T1033 | System Owner/User Discovery | Crimson can identify the user on a targeted system.213 |
| enterprise | T1124 | System Time Discovery | Crimson has the ability to determine the date and time on a compromised host.1 |
| enterprise | T1125 | Video Capture | Crimson can capture webcam video on targeted systems.21 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0134 | Transparent Tribe | 23 |
References
-
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. ↩↩↩↩↩↩↩↩↩↩↩