ASEC reports that the Crysis threat actor is deploying Venus ransomware in attacks, using RDP to access externally exposed systems and then dropping multiple malware strains. The operation leverages NirSoft tools and Mimikatz for credential access, conducts network scanning, and moves laterally to encrypt endpoints with ransom notes left behind. #CrysisRansomware #VenusRansomware #Mimikatz #NirSoft #RDP #AhnLab
Keypoints
- RDP is the primary attack vector used for initial access and later movement to other systems.
- The actor alternates between Crysis and Venus ransomware, encrypting systems and leaving ransom notes.
- NirSoft utilities and Mimikatz are deployed to collect credentials and facilitate lateral movement.
-
MITRE Techniques
- [T1021.001] Remote Services β RDP β βThreat actors can use the obtained account credentials to log in to the system through RDP, allowing them to gain control over the system in question and perform a variety of malicious actions.β
- [T1046] Network Service Scanning β βAfter the threat actor takes over the system via RDP, the above tools are used to scan the network to check if the infected system is part of a specific network.β
- [T1003] Credential Dumping β βMimikatz can be used in this process.β
- [T1486] Data Encrypted for Impact β βThe threat actor ultimately executed Crysis to encrypt the system, and after recognizing failure after a few hours, retried the attack using Venus.β
- [T1490] Inhibit System Recovery β βDeletes volume shadow copies.β
Indicators of Compromise
- [File Name] context β 1.exe_, bild.exe_
- [MD5] context β 67b1a741e020284593a05bc4b1a3d218, 786ce74458720ec55b824586d2e5666d
- [Email] threat actor contact β datacentreback@msgsafe[.]io, [email protected]
Read more: https://asec.ahnlab.com/en/54937/