This week the Sonicwall Capture Labs Research team has come across a malicious document template which delivered a remote access Trojan to unsuspecting victims. It guises as a mental health survey which silently drops a RAT in the background.

 

Infection Cycle:

The file comes as a Microsoft Word template file with a dotm extension. Once opened in word it displays a seemingly benign survey on mental health.

It creates a file in the following directory:

• /ProgramData/C0E2/RingBell.zip     [Detected as: Crimson.RAT]

It then executes the aforementioned file which performed malicious behaviors.

It spawns a legitimate application fondue.exe to perform the system reconnaissance.

Such as checking the computer name –

And finding out system languages –

And checks for numerous security settings if available in the system.

There was no network activity observed during the analysis however the Trojan has a hardcoded C&C server its strings.

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Malagent.APT (Trojan)
• GAV: Crimson.RAT (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.