Crimson
Crimson, also referred to as MSIL/Crimson, is a modular .NET remote access Trojan/downloader family associated with Transparent Tribe activity and documented in Proofpoint’s Operation Transparent Tribe reporting. The malware has been used in campaigns targeting Indian diplomatic and military personnel and resources, including spearphishing emails, malicious websites, and weaponized documents exploiting CVE-2012-0158; reporting also notes VBA/VBS-based lure documents used to install Crimson. In the described infection chain, an initial downloader is dropped and then retrieves the more fully featured RAT component, including observed communications to 213.136.87[.]122:10001 and related infrastructure such as 193.37.152[.]28:9990 in one campaign cluster. Crimson supports espionage-oriented collection and surveillance functions including identifying the user on a targeted system, determining the victim’s geographical location, collecting date/time information, capturing screenshots, webcam video, and microphone audio, stealing credentials from web browsers, collecting data from removable/pluggable drives, exfiltrating stolen information over its C2 channel, deleting files, and checking or setting the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate to track installation duration and possibly versioning. Additional reported capabilities include Outlook email theft, keylogging, and collection of victim MAC address and LAN IP. Transparent Tribe reporting also places Crimson alongside other tools such as Peppy, njRAT, DarkComet, Luminosity Link RAT, Bezigate, Meterpreter, Andromeda, and Beendoor within related campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
the attachment was a weaponized RTF document utilizing CVE-2012-0158 to drop an embedded, encoded portable executable (PE)... In multiple lure documents, Type: Exploit, CVE-2012-0158, Embedded Payload. | After successful exploitation and decoding of the embedded payload, a family of malware we refer to as MSIL/Crimson will be executed on the victim’s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured RAT component.
"The actors have access to a sizeable toolset of Trojans that they use in their attack campaigns, including custom developed tools called Crimson and Peppy..." | "...spear-phishing emails with malicious RTF files exploiting CVE-2010-3333 or CVE-2012-0158..."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After successful exploitation and decoding of the embedded payload, a family of malware we refer to as MSIL/Crimson will be executed on the victim’s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured RAT component.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
2 techniques
Initial Access
Proofpoint researchers discovered a malicious blogspot.com site... set up to lure Indian military officials into becoming infected with MSIL/Crimson, njRAT, and possibly other malicious tools. | Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT).
Execution
4 techniques
Execution
runf Execute command ... Peppy is also capable of accepting commands from its C&C to ... execute a shell command
Document Name: “Call Details Record.xls” ... Type: VBS Macro ... VBS Location: hxxp://afgcloud7[.]com/logs/ssc.mcom
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
These modules include keylogging... The keylogger module is a basic keylogger that stores keylogs in a plain text file.
Discovery
8 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The RAT component will then send system information to the C&C... info Send PC info (MAC, PC Name, User, LAN IP, OS, AV, missing modules…)
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
9 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
AppleSeed can find and collect data from removable media devices. APT28 backdoor may collect the entire contents of an inserted USB device. Aria-body has the ability to collect data from USB devices. BADNEWS copies files with certain extensions from USB devices to a predefined directory.
These modules include keylogging... The keylogger module is a basic keylogger that stores keylogs in a plain text file.
Crimson-infected victims may be spied on... recording their screen... cscreen Single screenshot ... scren Capture screen continuously... Beendoor is capable of taking screenshots
email Capable of retrieving email account name, number of emails, and exfiltrate emails from Outlook
The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs... keylogging and exfiltration of files using configurable search parameters begins.
audio... Used to record audio from microphone... stsre Get microphone audio
Command and Control
3 techniques
Command and Control
Crimson utilizes a custom TCP protocol for communicating to C&C... Peppy communicates to its C&C over HTTP.
Crimson utilizes a custom TCP protocol for communicating to C&C.
Examples include: "APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits," "During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads," and multiple malware families "use HTTP GET requests" or similar to download files/payloads.
IOCs tracked for this family
284 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware capable of identifying the geographical location of a victim host.
Software changes: ... Crimson
Remote access trojan that can conduct microphone-based audio surveillance.
Malware installed via malicious VBA macros embedded in lure documents.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.