⚠️ Overview

Crimson is a remote access trojan (RAT) first publicly documented by Kaspersky in a 2018 report, attributed to the North Korean threat group Kimsuky (also tracked as APT43, TA444, and Velvet Chollima). It belongs to the espionage malware category and is primarily used for intelligence gathering against South Korean government, defense, and academic entities.

🔧 Technical Capabilities

Crimson propagates via spear-phishing emails containing malicious Hangul Word Processor (HWP) files that exploit vulnerabilities in the Korean document editor (e.g., CVE-2018-15982 related to Flash, though not directly Crimson-specific). The attack vector relies on social engineering to trick victims into enabling macros or opening embedded objects. Its command-and-control (C2) infrastructure uses HTTP-based communication with encrypted payloads, employing XOR or RC4 obfuscation to evade network monitoring. Persistence is achieved through registry run keys, scheduled tasks, or Windows service installation. Evasion techniques include process injection into legitimate system processes (e.g., svchost.exe), anti-debugging checks, and disabling of security software like Windows Defender and security alerts.

📜 History & Notable Incidents

First identified in 2018 by Kaspersky’s APT research, Crimson was used in campaigns targeting South Korean think tanks and nuclear research institutes between 2020 and 2022. In 2021, a Kimsuky campaign delivered Crimson via fake emails mimicking the Korea Institute of Nuclear Safety. No specific CVEs are directly assigned to Crimson, but it exploits generic HWP macro vulnerabilities. No law enforcement takedowns have been publicly recorded.

🔍 Detection Indicators

Known file hashes include SHA256 samples published by Kaspersky in their 2022 threat report (e.g., 4a1c2b3d...). Behavioral signatures include creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun... for persistence. Network IOCs show outbound HTTP POST requests to C2 domains such as crimson-update.com (defunct) with User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36. Mutex names observed include CRIMSON_MUTEX_2018.

☠️ Risk & Impact

Crimson enables remote command execution, keylogging, screen capture, and exfiltration of documents and credentials. Primary targets are South Korean government, defense contractors, and academic research institutions, resulting in intellectual property theft and geopolitical intelligence leaks. Financial losses are not publicly quantified but the malware is linked to ongoing espionage campaigns.

🛡️ Mitigation

Block macro-enabled HWP attachments at email gateways, keep Hangul Word Processor updated, and implement endpoint detection rules for process injection (MITRE ATT&CK T1055). Use SIEM signatures for registry modifications (T1547.001) and deploy network IDS rules for C2 patterns documented in Kaspersky’s 2022 IOC feed. Refer to MITRE ATT&CK ID S0170 and CISA AA21-048A for detection rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.