The Mustang Panda threat organization mainly targets non-governmental organizations in Asia-Pacific countries, and often uses shared malware such as Poison Ivy, PlugX, and Cobalt Strike payloads to gather intelligence. PlugX is a remote access tool (RAT) that uses modular plug-ins and has been used by multiple threat groups.
CrimsonIAS is a post program developed for the Delphi programming language. Ability to upload, download files and execute instructions. Although the function is relatively simple, it meets the basic requirements of the RAT and can be expanded for a second time. Unlike conventional RATs, CrimsonRAT will not actively go online, but waits for the control server to connect. After analysis, we believe that the target of CrimsonIAS is:
1. The host of the public deployment service.
2. There are hosts with internal penetration components in the local area.
The latter program is a standard Win32 DLL.
By observing the DLL export table, we found that it has reflective loading characteristics.
The DLL cannot trigger functions through normal loading or calling exported functions. Through analysis, CrimsonIAS uses the same reflective loading section as Cobal Strike Beacon. It implements the executable code by embedding the executable code after the executable file MZ flag, modifying the normal execution process, and jumping to the reflection function. The function of the loader. Therefore, the call of this program is exactly in the form of ShellCode.
Therefore, the overall loading execution process of CrimsonIAS should be as follows:
Once the Shell Code is loaded correctly, it will start netsh.exe and open the local computer port to implement binding listening (in this case, the 80 port). (T1562.004: Impair Defenses: Disable or Modify System Firewall)
After analysis, the first 24 bytes of traffic constitute the command and control header. The details are as follows:
CrimsonIAS Command Protocol
The actual content of the protocol transmission starts from 0x18 bit