FireEye tracks a threat actor named APT36 AKA Lapis, a Pakistan based Cyber Espionage group that supports Pakistani military and diplomatic interests targeting Indian Military and government with malware named SeedDoor. Similar group has been tracked by Crowdstrike by name MYTHIC LEOPARD since 2016. However, Crimson RAT was previously used by Pakistani Threat Actors Transparent Tribe. Recently, a revival of Crimson RAT campaigns has been detected. The attackers using phishing emails to deliver malicious files. The file is malicious Microsoft Office Excel documents that leverage CVE-2017–0199 vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.
The attack flow is given below:
The current description for this vulnerability by the National Vulnerability Database is:
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.”