From Phishing to Persistence: A CrySome RAT Infection Chain Analysis

From Phishing to Persistence: A CrySome RAT Infection Chain Analysis
LevelBlue detected and contained a multi-stage intrusion that used a logistics-themed spear-phishing lure to deliver the CrySome RAT through staged downloads, PowerShell abuse, AMSI bypass, and Defender tampering. The operation ended with persistent remote access, browser credential theft, and C2 communication to 193.26.115[.]42:5555, while reusing tools and infrastructure such as WinDefCtl, signindat[.]com, and kvckiller.sys. #CrySomeRAT #WinDefCtl #signindatcom #kvckillersys #LevelBlue

Keypoints

  • The intrusion began with a spear-phishing email impersonating a freight rate confirmation and linking to a fake portal on signindat[.]com.
  • Clicking the lure downloaded a batch file that launched hidden PowerShell, bypassed execution policy, and patched AMSI in memory.
  • A first-stage loader, ElevatorShellCode.exe, attempted UAC bypass through ICMLuaUtil before fetching and executing the next stage in memory.
  • The second-stage PowerShell script created logs, added Microsoft Defender exclusions, deployed WinDefCtl, and launched the final payload.
  • WinDefCtl was used to weaken Microsoft Defender by manipulating IFEO settings and loading kvckiller.sys to stop security processes.
  • CrySome RAT established persistence via a scheduled task named CrysomeLoader and provided remote access, command execution, reconnaissance, and credential theft.
  • The malware targeted Chromium browsers, injecting abe_decrypt.dll to extract passwords.json and cookies.json for exfiltration.

MITRE Techniques

  • [T1566.002 ] Phishing: Spearphishing Link – The victim received a logistics-themed lure that directed them to a fake document portal (‘the email impersonated a legitimate freight rate confirmation and directed the recipient to hxxps://signindat[.]com’).
  • [T1204.002 ] User Execution: Malicious File – The user was tricked into downloading and running the batch file (‘Clicking Download Rate Confirmation does not deliver a PDF as expected. Instead, the site downloads a batch file’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell was used with hidden windows, execution-policy bypass, in-memory execution, and payload staging (‘launches a hidden PowerShell process with -ExecutionPolicy Bypass’, ‘executes it in memory using IEX’).
  • [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – The loader attempted privilege escalation using ICMLuaUtil (‘attempts privilege elevation using the ICMLuaUtil UAC bypass technique’).
  • [T1562.001 ] Impair Defenses – The actor patched AMSI, added Defender exclusions, and ran WinDefCtl/AVKiller to weaken endpoint security (‘patches AMSI in memory’, ‘adds Microsoft Defender exclusions’, ‘used to weaken Microsoft Defender’).
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – The attacker renamed update.exe to svchost.exe and ran it from a user-writable temp folder (‘saved as %TEMP%svchost.exe’, ‘execution from %TEMP% is anomalous’).
  • [T1105 ] Ingress Tool Transfer – Multiple payloads and the decoy PDF were downloaded from attacker-controlled infrastructure (‘downloads the next-stage payload’, ‘downloads update.exe’, ‘downloads the primary payload’, ‘downloads a legitimate-looking freight rate confirmation PDF’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence was achieved by creating a recurring scheduled task (‘creates a scheduled task named CrysomeLoader’, ‘execute the current client executable every five minutes’).
  • [T1546.012 ] Event Triggered Execution: Image File Execution Options Injection – WinDefCtl used IFEO manipulation as part of Defender interference (‘leverages Image File Execution Options (IFEO) manipulation’).
  • [T1055 ] Process Injection – The credential module injected abe_decrypt.dll into browser processes (‘injects abe_decrypt.dll’, ‘into Chromium-based browser processes’).
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Stored browser credentials and cookies were extracted (‘retrieving decrypted passwords.json and cookies.json files’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The malware used HTTP(S) to retrieve staged payloads and connect to infrastructure (‘downloads stage.ps1 from the attacker-controlled infrastructure’, ‘C2 endpoint (193.26.115[.]42:5555)’).
  • [T1219 ] Remote Access Software – CrySome RAT provided persistent remote access and operator control (‘features including HVNC, remote command execution, system reconnaissance, and credential theft’).

Indicators of Compromise

  • [Domain/URL ] phishing and payload hosting infrastructure – signindat[.]com, hxxps://signindat[.]com/patch.exe, and 2 more URLs
  • [Email address ] phishing sender used in lure – [email protected]
  • [IP address ] command-and-control server – 193.26.115[.]42, 193.26.115[.]42:5555
  • [SHA-256 hash ] batch file and loader samples – ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4, 53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff
  • [SHA-256 hash ] stage and payload binaries – ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd, b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3
  • [SHA-256 hash ] final payload and driver – c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a, ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8
  • [File name ] dropped and executed artifacts – Rate_Confirmation_LD-2026-0847.bat, ElevatorShellCode.exe, patch_diag.exe, and xeno_diag.log
  • [File name ] credential theft artifacts – abe_decrypt.dll, passwords.json, cookies.json, and svchost.exe running from %TEMP%
  • [Persistence artifact ] scheduled task and command – CrysomeLoader, schtasks.exe /create /tn “CrysomeLoader” /tr “C:UsersAppDataLocalTemppatch_diag.exe” /sc minute /mo 5 /f
  • [Registry path ] Defender tampering locations – HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, IFEO Debugger entries for PSUAMain.exe, avp.exe, avpui.exe, and ekrn.exe


Read more: https://www.levelblue.com/blogs/spiderlabs-blog/from-phishing-to-persistence-a-crysome-rat-infection-chain-analysis