• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Cybersecurity Threat Spotlight

CrimsonRat, AvosLocker & MaliBot

Author avatar of Artsiom HolubArtsiom Holub
Updated — October 26, 2023 • 5 minute read
View blog >

In the latest edition of the Cybersecurity Threat Spotlight, the Cisco Secure threat analysts examine the expansion of an advanced persistent threat (APT) group, the evolution of a ransomware-as-a-service (RaaS) offering, and the rise of mobile malware.

Want to learn more about how Cisco Umbrella can help protect your network against threats like these? Sign up for a free trial today!


CrimsonRAT

Threat Type: RAT

Delivery and Exfiltration:

A graphic illustrating the delivery and exfiltration chain for CrimsonRAT. The chain is as follows: Malspam to Malicious Document to CrimsonRAT to Command and Control. The graphic indicates that Cisco Secure products protect users from malicious documents and command and control.

Description: CrimsonRAT is a remote access Trojan used to take remote control of infected systems and steal data. We know this particular RAT is used by the Transparent Tribe APT group. CrimsonRAT’s targets include educational, governmental and military entities in the Indian subcontinent. The main goal of operations is to steal sensitive information and establish long-term access into a compromised network. The malware also has the following capabilities:

  • Getting the running process on the system
  • Getting the drives, directories, and files on the system
  • Get host names, user IDs, and capture screenshots
  • Get data from the C2 server using custom ports to connect to the C2 server

CrimsonRAT Spotlight: Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. This indicates that the APT is actively expanding its network of victims to include civilian users. The attacks result in the deployment of CrimsonRAT, Transparent Tribe’s malware of choice for establishing long-term access to victim networks. Transparent Tribe is suspected to have links to Pakistan and has been known to use their CrimsonRAT implant against human rights activists in Pakistan.

Target Geolocations: India, Afghanistan, Pakistan
Target Data: Credentials from Web Browsers, Data from Removable Media, Local Email Collection
Target Businesses: Government Sector, Military, Educational Institutions
Exploits: N/A

Mitre ATT&CK for CrimsonRAT

Initial Access:
Phishing

Persistence:
Registry Run Keys/Startup Folder

Evasion:
Impair Defense

Collection:
Screen Capture
Input Capture: Keylogging

Discovery:
File and Directory Discovery
Process Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery

Command and Control:
Ingress Tool Transfer

Exfiltration:
Exfiltration Over Command and Control Channel using Non-Application Layer Protocol

IOCs

IPs:
192[.]3[.]99[.]68
198[.]37[.]123[.]126

Domains:
studentsportal[.]live
geo-news[.]tv
cloud-drive[.]store
user-onedrive[.]live
drive-phone[.]online
studentsportal[.]co
studentsportal[.]website
nsdrive-phone[.]online
statefinancebank[.]com
in[.]statefinancebank[.]com
centralink[.]online
cloud-drive[.]geo-news[.]tv
drive-phone[.]geo-news[.]tv
studentsportal[.]geo-news[.]tv
user-onedrive[.]geo-news[.]tv
studentsportal[.]live[.]geo-news[.]tv
phone-drive[.]online[.]geo-news[.]tv
sunnyleone[.]hopto[.]org
swissaccount[.]ddns[.]net

URLs:
hxxps[://]studentsportal[.]live/download[.]php?file=Mental_Health_Survey[.]docm
hxxps[://]studentsportal[.]website/download[.]php?file=5-mar[.]zip

Additional Information:
Transparent Tribe begins targeting education sector in latest campaign

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance


AvosLocker

Threat Type: Ransomware

Delivery and Exfiltration:

A graphic illustrating the delivery and exfiltration chain for AvosLocker. The chain is as follows: vulnerable server to Log4Shell exploit to mimikatz to cobalt strike to AvosLocker. The graphic indicates that Cisco Secure products protect users from Cobalt Strike.

Description: Well funded and financially motivated, the Avos ransomware group has been active since June 2021, when they initially targeted Windows machines. More recently, a new variant of the ransomware AvosLocker – named after the group – has been spotted targeting Linux environments. The Avos group follows the ransomware-as-a-service (RaaS) model, an affiliate program used to recruit potential partners. The announcement of their program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices.

AvosLocker Spotlight: In a recent customer engagement, Cisco Talos observed a month-long AvosLocker campaign. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. Several vulnerabilities associated with Log4j were found:

  • CVE-2021-44228
  • CVE-2021-45046
  • CVE-2021-45105
  • CVE-2021-44832

These vulnerabilities can potentially allow remote code execution on Unified Access Gateways by a low-privilege non-root user named “gateway.” After a malicious actor established a foothold on the customer’s network, access to the initial servers was achieved. Then, the attackers utilized several different tools – including Cobalt Strike, Silver, and multiple commercial network scanners – to deploy AvosLocker.

Target Geolocations: Any
Target Data: Any
Target Business: Any
Exploits: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832

Mitre ATT&CK for AvosLocker

Initial Access:
Exploit Public-Facing Application
Valid Accounts

Execution:
Command and Scripting Interpreter
Software Deployment Tools

Persistence:
Create Account
Boot or Logon Autostart Execution

Defense Evasion:
Modify Registry
Impair Defense
Deobfuscate/Decode Files or Information
Indicator Removal on Host

Credential Access:
OS Credential Dumping
Unsecured Credentials
Credentials from Password Stores

Discovery:
File and Directory Discovery
Network Share Discovery
Process Discovery
Remote System Discovery

Lateral Movement:
Remote Services
Software Deployment Tools

Command and Control:
Remote Access Software

Impact:
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defacement

IOCs

Hashes:
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
cee38fd125aa3707DC77351dde129dba5e5aa978b9429ef3e09a95ebf127b46b

URLs:
hxxp[://]45[.]136[.]230[.]191:4000/D234R23

IPs:
176[.]113[.]115[.]107
45[.]136[.]230[.]191

Additional Information:
Avos ransomware group expands with new attack arsenal

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance


MaliBot

Threat Type: Mobile Trojan

Delivery and Exfiltration:

A graphic illustrating the delivery and exfiltration chain for MaliBot.

Description: MaliBot is a mobile Trojan that targets Android users. Delivered via phishing text messages or Trojanized apps, this malware can steal credentials, cookies, MFA codes, and cryptocurrency wallets. This allows it to bypass multi-factor authentication processes, remotely control infected devices using a VNC server implementation, run and delete applications on demand, steal and send SMS messages, and carry out injection/overlay attacks.

MaliBot Spotlight: Security researchers recently discovered a new strain of Android malware which they have dubbed “MaliBot.” Its main targets include online banking customers in Spain and Italy. MaliBot can steal credentials and cookies. It can also bypass multi-factor authentication (MFA) codes and remotely control infected devices using a VNC server implementation.

MaliBot’s command and control (C2) is in Russia and it appears to use the same servers that were used to distribute the Sality malware. Distribution of MaliBot occurs in one of two ways: by attracting victims to fraudulent websites – where they are tricked into downloading the malware – or by directly sending SMS phishing messages to mobile phone numbers.

Thus far, the malware actors have created two campaigns – “Mining X” and “TheCyrptoApp” – each of which has a website with a download link to the malware. As with much other Android malware, MaliBot performs most of its malicious operations by abusing Android’s Accessibility API. MaliBot also collects information from the infected device, including its IP, AndroidID, model, language, and installed application list.

MaliBot is part of a trend of mobile malware on the rise, and users should be aware of it.

Target Geolocations: Spain, Italy
Target Data: User Credentials, Cryptocurrency Wallet Data, SMS Messages, Personal Data, Financial Information
Target Businesses: N/A
Exploits: N/A

Mitre ATT&CK for MaliBot

Initial Access:
Phishing
Trojanized Apps

Execution:
Native API

Persistence:
Foreground Persistence
Event Triggered Execution

Evasion:
Foreground Persistence
Hide Artifacts
Input Injection
Native API
Virtualization/Sandbox Evasion: System Checks

Credential Access:
Access Notifications
Clipboard Data
Input Capture

Discovery:
File and Directory Discovery
Process Discovery
Software Discovery
System Information Discovery

Collection:
Access Notifications
Call Control
Clipboard Data
Input Capture
Protected User Data
Screen Capture

Command and Control:
Application Layer Protocol: Web Protocols

Exfiltration:
Exfiltration Over C2 Channel

IOCs

IP:
5[.]101[.]0[.]44

Domains:
mining-x[.]tech
mycrypto-app[.]com

Additional Information:
F5 Labs Investigates MaliBot

Which Cisco Secure Products Can Block:
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Take Umbrella for a 14-day test drive

Experience it block more threats, speed incident response, and improve internet performance.

Get your Free Trial

MaliBot, a Trojan that targets Android users, is part of a trend of mobile malware on the rise, and users should be aware of it.

Post this quote

Additional Resources

  • Signup for a free trial
  • On-demand Webinars: Threat Spotlight Series

Suggested Blogs

  • September’s Threats: MuddyWater, Manjusaka, and SocGholish September 20, 2022 5 minute read
  • BlackCat Ransomware, ZingoStealer & BumbleBee Loader May 24, 2022 5 minute read
  • HermeticWiper, SDUser, and Xenomorph March 29, 2022 4 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella