Mental health survey drops a Remote Access Trojan

This week the Sonicwall Capture Labs Research team has come across a malicious document template which delivered a remote access Trojan to unsuspecting victims. It guises as a mental health survey which silently drops a RAT in the background.

Infection Cycle:

The file comes as a Microsoft Word template file with a dotm extension. Once opened in word it displays a seemingly benign survey on mental health.

It creates a file in the following directory:

• /ProgramData/C0E2/RingBell.zip     [Detected as: Crimson.RAT]

It then executes the aforementioned file which performed malicious behaviors.

It spawns a legitimate application fondue.exe to perform the system reconnaissance.

Such as checking the computer name –

And finding out system languages –

And checks for numerous security settings if available in the system.

There was no network activity observed during the analysis however the Trojan has a hardcoded C&C server its strings.

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Malagent.APT (Trojan)
• GAV: Crimson.RAT (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.