APT36 is targeting India with a Coronavirus-theme campaign to spread the Crimson RAT for cyber espionage purpose 

APT36 group is using the Coronavirus to spread the Crimson RAT. It has been discovered by the RedDrip Team cyber security experts. According to Malwarebytes, since the pandemic became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns. APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. The malicious hackers perform cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

The cyber security experts: The Pakistan-based group used a spear phishing email with a link to a malicious document, masquerading as the government of India, to spread the malware

According to the cyber security experts, APT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities. In the Coronavirus attack, the group used a spear phishing email with a link to a malicious document masquerading as the government of India. It has two hidden macros the Crimson RAT. The macro first creates two directories “Edlacar” and “Uahaiws”, and then checks the OS type. Based on it, the macro picks either a 32bit or 64bit version of the malware in zip format that is stored in one of the two textboxes. Then it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function, dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.