Crimson
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| MSIL/Crimson | (Citation: Proofpoint Operation Transparent Tribe March 2016) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Crimson can use a HTTP GET request to download its final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Crimson can add Registry run keys for persistence.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Crimson has the ability to execute commands with the COMSPEC environment variable.(Citation: Kaspersky Transparent Tribe August 2020) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Crimson contains a module to steal credentials from Web browsers on the victim machine.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Crimson contains a command to collect and exfiltrate emails from Outlook.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Crimson has the ability to delete files from a compromised host.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Crimson can use a module to perform keylogging on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Crimson contains a command to collect information about anti-virus software on the victim.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0134 | Transparent Tribe |
(Citation: Proofpoint Operation Transparent Tribe March 2016) (Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
|
(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
||
References
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.