The education sector is becoming a target of cyberattacks using Crimson RAT.
According to SentinelOne, the Pakistan-based Transparent Tribe (APT36, Operation C-Major, PROJECTM and Mythic Leopard) is conducting cyber attacks on India's education sector to deploy malware called Crimson RAT.
The .NET-based malware has the following capabilities:
Exfiltration of files and system data to the attacker's server (C2);
Terminate running processes;
Loading and executing additional payloads to log keystrokes (keylogging) and steal browser credentials.
As part of the campaign, Transparent Tribe distributes infected Microsoft Office documents that contain educational content and are referred to as "Assignment" or "Assignment #10". Documents use malicious macro code to launch Crimson RAT. In other cases, the group used OLE (Object Linking and Embedding) embedding technologies to launch malware.
SentinelOne explains that malicious OLE documents require the user to double-click on a document element to unlock the content.
The feature forces users to double-click on an image to view the content, thereby activating the OLE package that stores and executes the Crimson RAT, masquerading as an update process.
It has also been observed that Crimson RAT variants delay their execution for a certain period of time - from 1 to 4 minutes, and also implement various obfuscation methods using the Crypto Obfuscator and Eazfuscator tools.
This campaign is not the group's only operation targeting India. Previously, Transparent Tribe has been linked to an ongoing cyber-espionage campaign that targets Indian and Pakistani Android users through a backdoor called CapraRAT. According to preliminary estimates, about 150 people became victims. Malware could be downloaded from fake phishing websites, and the app itself is definitely a parody of WhatsApp in its interface and name.