Mental health survey drops a Remote Access Trojan

May 2, 2022

This week the Sonicwall Capture Labs Research team has come across a malicious document template which delivered a remote access Trojan to unsuspecting victims. It guises as a mental health survey which silently drops a RAT in the background.


Infection Cycle:

The file comes as a Microsoft Word template file with a dotm extension. Once opened in word it displays a seemingly benign survey on mental health.

It creates a file in the following directory:

  • /ProgramData/C0E2/     [Detected as: Crimson.RAT]

It then executes the aforementioned file which performed malicious behaviors.

It spawns a legitimate application fondue.exe to perform the system reconnaissance.

Such as checking the computer name -

And finding out system languages -

And checks for numerous security settings if available in the system.

There was no network activity observed during the analysis however the Trojan has a hardcoded C&C server its strings.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.APT (Trojan)
  • GAV: Crimson.RAT (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.