Trojan:MSIL/CrimsonRAT.B

The Trojan:MSIL/CrimsonRAT.B infection process initiates with a spear-phishing email carrying a weaponized attachment. These attachments are engineered to evade initial detection, appearing as password-protected archives (RAR, IMG, VHDX) or Microsoft Office documents that prompt the user to allow malicious macros. Disguised lures often mimic legitimate documents like job resumes, official policy updates, or invitations. Once the user activates macros or extracts and runs the contained binary, the CrimsonRAT deployment sequence begins. It first performs a check to identify the device’s status. Based on this, it drops a corresponding payload file with a procedurally generated, obfuscated name, such as railthnsrqn.exe for 32-bit systems or othvidtiraw.exe for 64-bit systems, into a system directory like C:\ProgramData. A known sample has been identified with the SHA-256 hash d40b8c55edf7d7f118650135ee37080e8e296e635af5481e1a2850088524196c. 

To ensure it survives a Windows reboot, the Trojan modifies the Windows Registry to establish persistence. It creates or alters an autorun key within the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run path, linking it to the path of the dropped binary. For command and control (C2) communication, CrimsonRAT uses a custom TCP-based protocol, connecting to hardcoded IP addresses over non-standard ports to blend in with normal traffic; observed C2 servers include 167[.]160.166[.]177 on port 3368 and 181[.]215.47[.]169 on port 5434. Secondary payloads or updates are retrieved from compromised or threat actor-controlled websites, with observed URLs including https://zoneflare[.]com/C2L!Dem0&PeN/A@llPack3Ts/Cert[.]php and https://kavach-app[.]in/auth/ver4[.]mp3. 

Once the connection to the C2 server is established, the threat actor can issue a variety of commands for surveillance and data theft. These commands include cscreen to capture and exfiltrate screenshots, keylog to initiate keystroke logging, and getavs to list running antivirus processes for evasion planning. The RAT can also search for and steal files by extension using the searchfiles command, list all available drives with the drives command, and propagate itself by infecting removable USB drives. To avoid analysis, it employs several evasion techniques: it delays its main malicious payload by days or weeks, uses obfuscated code strings, and sometimes drops a benign decoy file (like a clean PDF resume) to distract the user while malicious activity occurs in the background. 

CrimsonRat functionality extends to comprehensive device reconnaissance and credential harvesting. Before running specific theft commands, it often performs an initial survey, collecting detailed device information such as the computer name, OS version, installed security software, and username. This data is sent back to the C2 server, allowing the threat actors to tailor their next steps. Furthermore, the RAT includes modules designed to extract saved credentials from popular web browsers and to enumerate files on network shares, expanding its reach beyond the initially compromised host. Its modular .NET architecture also suggests the capability for runtime updates, where threat actors can dynamically push additional plugins, such as audio recording or webcam capture modules to the infected device based on the perceived value of the target.