Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| MSIL/Crimson |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
Crimson contains a module to collect data from removable drives.[1][2] |
|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Crimson contains a module to steal credentials from Web browsers on the victim machine.[1][2] |
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1112 | 修改注册表 |
Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Crimson can decode its encoded PE file prior to execution.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Crimson has the ability to execute commands with the COMSPEC environment variable.[2] |
| Enterprise | T1120 | 外围设备发现 |
Crimson has the ability to discover pluggable/removable drives to extract files from.[1][2] |
|
| Enterprise | T1113 | 屏幕捕获 |
Crimson contains a command to perform screen captures.[1][2][3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Crimson can use a HTTP GET request to download its final payload.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[1][2][3] |
|
| Enterprise | T1012 | 查询注册表 |
Crimson can check the Registry for the presence of |
|
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
Crimson contains a command to collect and exfiltrate emails from Outlook.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Crimson has the ability to delete files from a compromised host.[1][2][3] |
| Enterprise | T1614 | 系统位置发现 |
Crimson can identify the geographical location of a victim host.[2] |
|
| Enterprise | T1082 | 系统信息发现 |
Crimson contains a command to collect the victim PC name, disk drive information, and operating system.[1][2][3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Crimson can identify the user on a targeted system.[1][2][3] |
|
| Enterprise | T1124 | 系统时间发现 |
Crimson has the ability to determine the date and time on a compromised host.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Crimson contains a command to collect the victim MAC address and LAN IP.[1][2] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.[1] |
| Enterprise | T1125 | 视频捕获 | ||
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Crimson contains a command to collect information about anti-virus software on the victim.[1][2] |
| Enterprise | T1105 | 输入工具传输 |
Crimson contains a command to retrieve files from its C2 server.[1][2][3] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Crimson can use a module to perform keylogging on compromised hosts.[1][2][3] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1091 | 通过可移动媒体复制 |
Crimson can spread across systems by infecting removable media.[2] |
|
| Enterprise | T1095 | 非应用层协议 | ||
| Enterprise | T1123 | 音频捕获 |
Crimson can perform audio surveillance using microphones.[2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0134 | Transparent Tribe |