Skip to content

S0115 Crimson

Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.21

Item Value
ID S0115
Associated Names MSIL/Crimson
Type MALWARE
Version 1.3
Created 31 May 2017
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
MSIL/Crimson 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Crimson can use a HTTP GET request to download its final payload.2
enterprise T1123 Audio Capture Crimson can perform audio surveillance using microphones.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Crimson can add Registry run keys for persistence.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Crimson has the ability to execute commands with the COMSPEC environment variable.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Crimson contains a module to steal credentials from Web browsers on the victim machine.21
enterprise T1005 Data from Local System Crimson can collect information from a compromised host.3
enterprise T1025 Data from Removable Media Crimson contains a module to collect data from removable drives.21
enterprise T1140 Deobfuscate/Decode Files or Information Crimson can decode its encoded PE file prior to execution.2
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Crimson contains a command to collect and exfiltrate emails from Outlook.2
enterprise T1041 Exfiltration Over C2 Channel Crimson can exfiltrate stolen information over its C2.3
enterprise T1083 File and Directory Discovery Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.213
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Crimson has the ability to delete files from a compromised host.213
enterprise T1105 Ingress Tool Transfer Crimson contains a command to retrieve files from its C2 server.213
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Crimson can use a module to perform keylogging on compromised hosts.213
enterprise T1112 Modify Registry Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.2
enterprise T1095 Non-Application Layer Protocol Crimson uses a custom TCP protocol for C2.21
enterprise T1120 Peripheral Device Discovery Crimson has the ability to discover pluggable/removable drives to extract files from.21
enterprise T1057 Process Discovery Crimson contains a command to list processes.213
enterprise T1012 Query Registry Crimson can check the Registry for the presence of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate to determine how long it has been installed on a host.2
enterprise T1091 Replication Through Removable Media Crimson can spread across systems by infecting removable media.1
enterprise T1113 Screen Capture Crimson contains a command to perform screen captures.213
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Crimson contains a command to collect information about anti-virus software on the victim.21
enterprise T1082 System Information Discovery Crimson contains a command to collect the victim PC name, disk drive information, and operating system.213
enterprise T1614 System Location Discovery Crimson can identify the geographical location of a victim host.1
enterprise T1016 System Network Configuration Discovery Crimson contains a command to collect the victim MAC address and LAN IP.21
enterprise T1033 System Owner/User Discovery Crimson can identify the user on a targeted system.213
enterprise T1124 System Time Discovery Crimson has the ability to determine the date and time on a compromised host.1
enterprise T1125 Video Capture Crimson can capture webcam video on targeted systems.21
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.2

Groups That Use This Software

ID Name References
G0134 Transparent Tribe 23

References