Crimson
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Crimson contains a module to steal credentials from Web browsers on the victim machine.[1] |
| Enterprise | T1025 | Data from Removable Media |
Crimson contains a module to collect data from removable drives.[1] |
|
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Crimson contains a command to collect and exfiltrate emails from Outlook.[1] |
| Enterprise | T1083 | File and Directory Discovery |
Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Crimson contains a command to retrieve files from its C2 server.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1113 | Screen Capture | ||
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Crimson contains a command to collect information about anti-virus software on the victim.[1] |
| Enterprise | T1082 | System Information Discovery |
Crimson contains a command to collect the victim PC name and operating system.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Crimson contains a command to collect the victim MAC address and LAN IP.[1] |
|